CVE-2023-40137: 
NixOS vulnerability analysis and mitigation

CVE-2023-40137 is a vulnerability discovered in Android's DialogFillUi.java component that was disclosed in October 2023. The vulnerability allows viewing another user's images due to a confused deputy implementation, potentially leading to local information disclosure. This vulnerability affects multiple Android versions including 11.0, 12.0, 12.1, and 13.0 (NVD).

The vulnerability has been assigned a CVSS v3.1 Base Score of 3.3 (LOW) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. The vulnerability exists in multiple functions of DialogFillUi.java and requires local access with low attack complexity. No user interaction is needed for exploitation, though local privileges are required (NVD).

The vulnerability can lead to local information disclosure, specifically allowing an attacker to view another user's images. The attack does not require additional execution privileges or user interaction for exploitation (CVE).

Google has released a patch that verifies URI Permissions in Autofill RemoteViews. The fix includes checking permissions of URI inside of FillResponse's RemoteViews, and if the current user does not have the required permissions to view the URI, the RemoteView is dropped from displaying (Android Patch).