CVE-2023-40092: 
NixOS vulnerability analysis and mitigation

In verifyShortcutInfoPackage of ShortcutService.java, there is a possible way to see another user's image due to a confused deputy. This vulnerability (CVE-2023-40092) affects Android versions 11.0 through 14.0. The issue was discovered and disclosed in December 2023 (Android Bulletin).

The vulnerability exists in the ShortcutService.java component, specifically in the verifyShortcutInfoPackage function. It is classified as a local information disclosure vulnerability with a CVSS v3.1 base score of 5.5 MEDIUM (Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N). The issue stems from a confused deputy problem that could allow unauthorized access to another user's image (NVD).

This vulnerability could lead to local information disclosure, allowing an attacker to view images belonging to other users on the device. The attack requires no user interaction for exploitation, though local access and some privileges are needed (NVD).

Google has addressed this vulnerability in the December 2023 Android Security Bulletin. The fix was implemented through a code change in the platform/frameworks/base repository (Android Patch). Users should update their Android devices to the latest security patch level to mitigate this vulnerability.