CVE-2023-21251: 
NixOS vulnerability analysis and mitigation

In onCreate of ConfirmDialog.java, there is a possible way to connect to VPN bypassing user's consent due to improper input validation. This vulnerability (CVE-2023-21251) affects Android versions 11.0, 12.0, 13.0, and 13.1. The vulnerability was disclosed in the July 2023 Android Security Bulletin and requires user execution privileges for exploitation (Android Bulletin, NVD).

The vulnerability exists in the VPN dialog component of Android's framework, specifically in the onCreate method of ConfirmDialog.java. The issue stems from improper sanitization of VPN labels, which could allow HTML injection. A malicious VPN application could potentially add a large number of line breaks with HTML to hide system-displayed text from the user in the connection request dialog. The vulnerability has been assigned a CVSS v3.1 base score of 7.3 (HIGH) with the vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H (NVD).

If successfully exploited, this vulnerability could lead to local escalation of privilege with user execution privileges needed. The attacker could potentially bypass user consent mechanisms in VPN connections, potentially allowing unauthorized VPN connections to be established (NVD).

Google has released a patch that sanitizes the content of VpnDialog. The fix includes a function to sanitize VPN labels and displays the package name instead of the VPN label if sanitization detects potential HTML tags or misleading content. The patch was implemented in the Android framework base (Android Patch).