CVE-2023-21285: 
NixOS vulnerability analysis and mitigation

CVE-2023-21285 is a vulnerability discovered in Android's MediaSessionRecord.java component, specifically in the setMetadata function. The vulnerability was disclosed in August 2023 and affects Android versions 11.0, 12.0, 12.1, and 13.0. This security flaw allows a potential confused deputy scenario where one user could view another user's images (NVD, CVE).

The vulnerability exists in the setMetadata function of MediaSessionRecord.java and is related to URI permission handling. The issue stems from insufficient verification of URI permissions in MediaMetadata, which could lead to unauthorized access to image data. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.5 (MEDIUM) with a vector string of CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating local access is required but no user interaction is needed for exploitation (NVD).

The vulnerability can lead to local information disclosure, potentially allowing one user to view images belonging to another user. No additional execution privileges are required for exploitation, and the impact is primarily focused on confidentiality with no direct effects on system integrity or availability (CVE).

Google has released a patch that adds checks for URI permissions to ensure users can only access URIs they have permission for. If permission is denied, the URI string set in metadata is cleared. The fix was implemented in a commit that modifies the MediaSessionRecord.java file (Android Source).