CVE-2023-35668: 
NixOS vulnerability analysis and mitigation

In visitUris of Notification.java, there is a possible way to display images from another user due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. The vulnerability (CVE-2023-35668) affects Android versions 11.0 through 13.0 and was disclosed in December 2023 (Android Bulletin).

The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with the following vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The issue exists in the visitUris functionality of the Notification.java component, where a confused deputy vulnerability allows unauthorized access to images from other users (NVD).

The vulnerability allows local information disclosure, specifically enabling an attacker to view images belonging to another user. No additional execution privileges are required for exploitation, and user interaction is not needed (NVD).

The vulnerability has been patched in the December 2023 Android Security Bulletin. Users should update their Android devices to the latest security patch level to mitigate this vulnerability (Android Bulletin).