CVE-2023-21272: 
NixOS vulnerability analysis and mitigation

In readFrom of Uri.java, there is a possible bad URI permission grant due to improper input validation. This vulnerability (CVE-2023-21272) affects Android versions 11, 12, 12L, and 13. The issue was discovered and patched as part of the Android Security Bulletin in August 2023. The vulnerability could lead to local escalation of privilege with no additional execution privileges needed, and user interaction is not required for exploitation (NVD).

The vulnerability exists in the readFrom method of Uri.java component, where the interpretation of the path depends on whether the scheme or authority are specified. The issue stems from improper validation when unparcelling URIs. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.8 (HIGH) with the vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability has been classified under CWE-20 (Improper Input Validation) and CWE-269 (Improper Privilege Management) (NVD).

The vulnerability can lead to local escalation of privilege, potentially allowing an attacker to gain unauthorized access to system resources. The high CVSS score indicates significant potential impact on confidentiality, integrity, and availability of the affected system (NVD).

The vulnerability was addressed in the Android Security Bulletin of August 2023. A patch was implemented to check authority and scheme as part of determining URI path, ensuring proper validation when unparcelling URIs. The fix was committed to the Android platform frameworks base (Android Git).