CVE-2023-35670: 
NixOS vulnerability analysis and mitigation

A path traversal vulnerability (CVE-2023-35670) was discovered in the computeValuesFromData function of FileUtils.java in Android's MediaProvider. The vulnerability affects Android versions 11, 12, 12L, and 13 without the September 2023 security patch. This security flaw allows applications with legacy external storage permissions to insert files into other apps' external private directories (Android Security Bulletin, NVD).

The vulnerability is classified as a path traversal error (CWE-22) in the MediaProvider component. It has been assigned a CVSS v3.1 base score of 7.8 (HIGH), with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The issue specifically occurs in the computeValuesFromData function of FileUtils.java, where improper path canonicalization allows for path traversal attacks (NVD).

If exploited, this vulnerability could lead to local escalation of privilege, allowing an attacker to bypass directory restrictions and insert files into other applications' external private directories. The attack requires no additional execution privileges or user interaction for exploitation (NVD).

Google has addressed this vulnerability in the Android September 2023 security patch. The fix involves implementing proper path canonicalization for file insertions by legacy apps, as evidenced by the patch commit. Users and administrators should ensure their Android devices are updated with the latest security patches (Android Patch).

Samsung has included this fix in their September 2023 security update rollout for Galaxy devices, indicating the industry's swift response to address this security concern (Samsung Update).