CVE-2023-21082 in Android
Summary
by MITRE • 04/19/2023
In getNumberFromCallIntent of NewOutgoingCallIntentBroadcaster.java, there is a possible way to enumerate other user's contact phone number due to a confused deputy. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-257030107
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 09/10/2025
The vulnerability identified as CVE-2023-21082 resides within the Android operating system's telephony framework, specifically in the NewOutgoingCallIntentBroadcaster.java component. This flaw represents a confused deputy problem that allows malicious applications to potentially enumerate contact phone numbers belonging to other users on the same device. The vulnerability stems from insufficient input validation and improper privilege handling within the telephony service's intent processing mechanism. The affected Android versions include Android 11, 12, 12L, and 13, indicating a broad impact across multiple system releases. The vulnerability requires user execution privileges for exploitation, meaning an attacker must already have a legitimate application running on the device with appropriate permissions.
The technical implementation of this vulnerability involves the getNumberFromCallIntent method which processes incoming call intent data without proper sanitization of user-provided parameters. When a malicious application attempts to intercept or manipulate outgoing call intents, it can exploit the confused deputy scenario to access phone number information from other user accounts. This occurs because the system fails to properly validate the calling application's identity and privileges before allowing access to sensitive contact data. The vulnerability is categorized under CWE-264, which addresses permissions, privileges, and access controls, specifically manifesting as improper access control in the Android telephony service. The attack vector leverages the Android Intent system's trust model where applications can broadcast intents that are then processed by system services without adequate verification of the intent's legitimacy.
The operational impact of this vulnerability extends beyond simple information disclosure, as it enables unauthorized enumeration of contact information that could serve as a foundation for more sophisticated attacks. An attacker with user-level privileges could systematically access phone numbers from other user profiles, potentially building comprehensive contact lists for social engineering or targeted attacks. This represents a significant privacy concern as it undermines the isolation between user profiles on multi-user Android devices. The vulnerability aligns with ATT&CK technique T1083, which covers directory and file discovery, as the attacker can enumerate contact information through legitimate system interfaces. Additionally, the flaw contributes to broader information gathering activities that could support privilege escalation or lateral movement within compromised systems.
Mitigation strategies for CVE-2023-21082 should focus on strengthening the Android telephony service's intent processing mechanisms and implementing proper privilege validation. System administrators should ensure that all Android devices are updated to the latest security patches provided by Google, as this vulnerability has been addressed in subsequent releases. Application developers should review their code to ensure proper intent validation and avoid relying on potentially untrusted input from system services. The recommended approach includes implementing stricter access controls for telephony-related services and ensuring that user profile isolation is properly enforced. Organizations should also consider implementing additional monitoring for suspicious intent processing activities and establish clear policies for handling user data access requests. Security teams should conduct regular vulnerability assessments focusing on Android system services and ensure that all applications undergo proper security review before deployment. The fix typically involves strengthening the privilege checking mechanisms in the NewOutgoingCallIntentBroadcaster component and ensuring that phone number enumeration is properly restricted to authorized applications only.