CVE-2023-21247: 
NixOS vulnerability analysis and mitigation

In getAvailabilityStatus of BluetoothScanningMainSwitchPreferenceController.java, there is a possible way to bypass a device policy restriction due to a missing permission check. This vulnerability (CVE-2023-21247) affects Android versions 12.0, 12.1, and 13.0. The vulnerability was disclosed in July 2023 and patched in the Android Security Bulletin (Android Bulletin).

The vulnerability exists in the BluetoothScanningMainSwitchPreferenceController.java component of Android's Settings application. It stems from a missing permission check that could allow bypassing the DISALLOWCONFIGLOCATION device policy restriction. The severity is rated as HIGH with a CVSS v3.1 Base Score of 7.8 (Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The vulnerability is classified under CWE-862 (Missing Authorization) (NVD Database).

A successful exploitation of this vulnerability could lead to local escalation of privilege with no additional execution privileges needed. The attacker could potentially bypass location service restrictions for Bluetooth scanning, compromising the device's security policy enforcement (NVD Database).

Google has released a patch that addresses this vulnerability by making location service's MainSwitchPreference pages for Bluetooth scanning unavailable when DISALLOWCONFIGLOCATION is set, thereby disabling direct access through intents. The fix was implemented in the Android Settings application (Android Git).