CVE-2023-21270: 
NixOS vulnerability analysis and mitigation

In restorePermissionState of PermissionManagerServiceImpl.java, there is a possible way for an app to keep permissions that should be revoked due to incorrect permission flags cleared during an update. This vulnerability (CVE-2023-21270) affects Android versions 12, 12L, and 13. The vulnerability was discovered in November 2022 and publicly disclosed in the August 2023 Android Security Bulletin (Android Bulletin).

The vulnerability is classified as an Elevation of Privilege (EoP) issue with a CVSS v3.1 Base Score of 7.8 (HIGH). The attack vector is Local (L), with Low attack complexity (AC), requiring Low privileges (PR), and No user interaction (UI). The scope is Unchanged (U), with High impact on Confidentiality (C), Integrity (I), and Availability (A). The complete vector string is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

This vulnerability could lead to local escalation of privilege with User execution privileges needed. The successful exploitation allows an app to maintain permissions that should have been revoked during an update process, potentially giving the app unauthorized access to sensitive system resources or data (Android Bulletin).

The vulnerability has been patched in the Android security update released in August 2023. Users should update their Android devices to a security patch level of 2023-08-01 or later to address this vulnerability (Android Bulletin).