The US CISA added the following five new issues to its Known Exploited Vulnerabilities Catalog:
- CVE-2023-20963 – Android Framework Privilege Escalation Vulnerability. Android Framework contains an unspecified vulnerability that allows for privilege escalation after updating an app to a higher Target SDK with no additional execution privileges needed;
- CVE-2023-29492 – Novi Survey Insecure Deserialization Vulnerability. Novi Survey contains an insecure deserialization vulnerability that allows remote attackers to execute code on the server in the context of the service account;
Google addressed the vulnerability CVE-2023-20963 with the release of Android Security Bulletin—March 2023 security updates. The bulletin confirmed that “there are indications that CVE-2023-20963 may be under limited, targeted exploitation.
CISA orders federal agencies to fix this flaw by May 4, 2023.