CVE-2023-21394: 
NixOS vulnerability analysis and mitigation

CVE-2023-21394 is a security vulnerability discovered in Android's Telecom service implementation. The vulnerability exists in the registerPhoneAccount function of TelecomServiceImpl.java, where a missing permission check could allow revealing images from another user. This vulnerability was disclosed in October 2023 and affects Android versions prior to 14.0 (NVD, CVE).

The vulnerability stems from a missing permission check in the registerPhoneAccount function of TelecomServiceImpl.java. It involves a potential bypass of a multi-user security boundary due to a confused deputy issue. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (MEDIUM) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating local access, low attack complexity, and high confidentiality impact (NVD).

The vulnerability could lead to local information disclosure without requiring additional execution privileges. Specifically, it allows an attacker to reveal images belonging to another user through the phone account registration process. No user interaction is required for exploitation (NVD).

Google has addressed this vulnerability by implementing a lightweight solution for parsing the image URI to detect profile exploitation. The fix was implemented in Android 14.0 and included in the December 2023 security patch level (Android Source).