CVE-2023-35680: 
NixOS vulnerability analysis and mitigation

A vulnerability identified as CVE-2023-35680 affects multiple Android versions (11, 12, 12L, and 13). The vulnerability allows importing contacts belonging to other users due to a confused deputy issue. This security flaw was discovered and reported to Google, with patches released in the September 2023 security update (Android Bulletin).

The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The issue exists in multiple locations within the Android system, specifically related to contact import functionality. The vulnerability stems from a confused deputy problem that could lead to unauthorized access to user contacts (NVD).

The vulnerability can lead to local information disclosure, potentially exposing contact information belonging to other users on the same device. The impact is significant as it allows unauthorized access to private contact data without requiring additional execution privileges (NVD).

Google has addressed this vulnerability in the September 2023 Android Security Bulletin. The fix involves implementing additional checks in the Telephony service to verify if the URI is from the current user when handling intent results. Users should update their Android devices to the latest security patch level to protect against this vulnerability (Android Commit).