Android Managed Provisioning Confused Deputy Vulnerability Allowing Unauthorized Data Access
Vulnerability
A confused deputy vulnerability has been identified in the Android Managed Provisioning app, specifically within the DisclaimersParserImpl.java file. This vulnerability allows for unauthorized access to data from another user, potentially leading to local privilege escalation. The issue arises because the validateUriSchemeAndPermission function improperly handles permission checks for certain URI schemes, enabling apps to access restricted data without the necessary authorization. Exploitation of this vulnerability does not require additional execution privileges or user interaction.
Impact
Exploitation of this vulnerability could result in unauthorized access to user data, allowing for potential misuse or manipulation of that information. Additionally, it could lead to local privilege escalation, enabling a user to gain elevated rights or access within the system.
Reproduction
The vulnerability can be reproduced by using an application that initiates a provisioning process and requests access to the terms_disclaimer URI without the proper permissions. This can be done by bypassing the standard permission checks for the SCHEME_ANDROID_RESOURCE URIs, which are typically restricted.
Remediation
Users can update to the latest version of the Android operating system, as security patch levels of 2025-09-01 or later address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.