CVE-2023-21300: 
NixOS vulnerability analysis and mitigation

In PackageManager, there is a possible way to determine whether an app is installed without query permissions due to side channel information disclosure. This vulnerability, identified as CVE-2023-21300, affects Android versions prior to Android 14.0. The vulnerability was disclosed and documented in the Android 14 Security Bulletin (Android Bulletin).

The vulnerability is classified with a CVSS v3.1 Base Score of 5.5 (MEDIUM) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The vulnerability stems from a side channel information disclosure in the PackageManager component, which could allow an attacker to determine the installation status of applications without having the necessary query permissions (NVD).

The vulnerability allows local information disclosure without requiring additional execution privileges. An attacker could potentially determine which applications are installed on a device without having the proper permissions to query this information (NVD).

The vulnerability has been patched in Android 14.0. Users and organizations should upgrade their Android devices to version 14.0 or later to mitigate this vulnerability (Android Bulletin).