In setAllowOnlyVpnForUids of NetworkManagementService...
High severity
Unreviewed
Published
Nov 16, 2024
to the GitHub Advisory Database
•
Updated Dec 18, 2024
Description
Published by the National Vulnerability Database
Nov 15, 2024
Published to the GitHub Advisory Database
Nov 16, 2024
Last updated
Dec 18, 2024
In setAllowOnlyVpnForUids of NetworkManagementService.java, there is a possible security settings bypass due to a missing permission check. This could lead to local escalation of privilege allowing users to access non-VPN networks, when they are supposed to be restricted to the VPN networks, with no additional execution privileges needed. User interaction is not needed for exploitation.
References