CVE-2022-20011

NameCVE-2022-20011
DescriptionIn getArray of NotificationManagerService.java , there is a possible leak of one user notifications to another due to missing check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-214999128
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
android-platform-frameworks-base (PTS)buster1:8.1.0+r23-3vulnerable
bullseye1:10.0.0+r36-3vulnerable
bookworm1:10.0.0+r36-10vulnerable
sid, trixie1:13.0.0+r66-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
android-platform-frameworks-basesource(unstable)(unfixed)unimportant

Notes

https://source.android.com/security/bulletin/2022-05-01
https://android.googlesource.com/platform/frameworks/base/+/f315ba91df3829d862371fbab9da584ce0a59bc6
Not accessible in Debian builds, No security impact for Android as provided in Debian
Search for package or bug name: Reporting problems