Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2023-35674
CVE-2023-35674:
NixOS vulnerability analysis and mitigation
Overview
CVE-2023-35674 is a high-severity vulnerability discovered in the Android Framework, specifically in the onCreate method of WindowState.java. The vulnerability was disclosed in September 2023 and affects Android versions 11, 12, 12L, and 13. This security flaw allows attackers to launch background activities due to a logic error in the code, potentially leading to local privilege escalation. The vulnerability is particularly concerning as it requires no user interaction or additional execution privileges for exploitation (Android Bulletin, Bleeping Computer).
Technical details
The vulnerability has been assigned a CVSS v3.1 Base Score of 7.8 (HIGH) with the following vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The flaw exists in the Android Framework's WindowState.java component, specifically in the onCreate method. The vulnerability allows for privilege escalation through the manipulation of background activity launches, bypassing normal security controls (NVD).
Impact
The successful exploitation of CVE-2023-35674 can lead to local privilege escalation, potentially allowing attackers to gain elevated access to system resources. The vulnerability affects multiple versions of the Android operating system and could enable attackers to execute unauthorized commands with elevated privileges (Hacker News).
Mitigation and workarounds
Google has released security patches as part of the September 2023 Android security updates to address this vulnerability. Users are strongly encouraged to update their Android devices to the latest security patch level. The patch was released on September 1, 2023, and is available for Android versions 11, 12, 12L, and 13 (Android Bulletin, Bleeping Computer).
Community reactions
The vulnerability has garnered significant attention in the cybersecurity community due to its active exploitation status. Google has emphasized the importance of updating to the latest version of Android, noting that exploitation is made more difficult by enhancements in newer versions of the Android platform (Bleeping Computer).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management