Primary

Context

Android Download Provider Confused Deputy Vulnerability Allowing Information Disclosure

Vulnerability

A vulnerability in the Android Download Provider has been identified, where user consent can be bypassed when opening files in shared storage. This issue arises from a confused deputy scenario, potentially leading to unauthorized local information disclosure. The vulnerability is present in the Download Provider component, specifically in the 'checkWhetherCallingAppHasAccess' function of 'DownloadProvider.java'. It affects several Android versions, including 12, 12L, 13, 14, and 15. Notably, this vulnerability does not require additional execution privileges or user interaction for exploitation.

Impact

Exploitation of this vulnerability could result in unauthorized local information disclosure.

Remediation

Users can update their devices to the March 2025 security patch level to address this vulnerability. Instructions for checking and updating the Android version are available on the Google Support website.

Added: Aug 26, 2025, 11:20 PM

Updated: Aug 26, 2025, 11:20 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

5.3

remediation

0.0

relevance

0.4

threat

3.2

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

5.3

remediation

0.0

relevance

0.4

threat

3.2

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Android Download Provider Confused Deputy Vulnerability Allowing Information Disclosure

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating