CVE-2023-21173 in Android
Summary
by MITRE • 06/28/2023
In multiple methods of DataUsageList.java, there is a possible way to learn about admin user's network activities due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-262741858
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 09/13/2025
The vulnerability identified as CVE-2023-21173 resides within the DataUsageList.java component of Android 13 operating systems, representing a critical permission bypass flaw that undermines the security model governing network activity monitoring. This issue manifests through multiple methods within the data usage list functionality where proper access controls fail to validate administrative privileges before exposing sensitive network activity information. The vulnerability stems from a fundamental missing permission check that allows unauthorized access to administrative network monitoring data, creating a significant information disclosure risk for Android devices running version 13.
The technical implementation flaw occurs in the DataUsageList.java file where the system fails to enforce proper authorization checks when retrieving network usage statistics. This missing permission validation creates a pathway for local attackers to access detailed information about administrative users' network activities without requiring any additional privileges or user interaction. The vulnerability operates at the application level within the Android framework, specifically targeting the data usage monitoring subsystem that should normally be restricted to authorized administrative processes. This represents a direct violation of the principle of least privilege and demonstrates a failure in the Android security architecture to properly isolate sensitive network monitoring data.
From an operational perspective, this vulnerability creates a severe information disclosure threat that could enable attackers to gain insights into administrative network behavior patterns, potentially exposing sensitive data about user activities, application network usage, and system connectivity patterns. The lack of user interaction requirement means the vulnerability can be exploited automatically without any human intervention, making it particularly dangerous in environments where Android devices handle sensitive corporate or personal information. The impact extends beyond simple data exposure as the leaked network activity information could be leveraged for further attacks, including targeted social engineering or network reconnaissance activities that could compromise broader system security.
Security professionals should note this vulnerability aligns with CWE-284 (Improper Access Control) and represents a specific implementation failure in Android's permission model that violates the ATT&CK framework's privilege escalation techniques. The vulnerability's classification as local information disclosure means it requires no network access or complex exploitation methods, making it particularly concerning for enterprise environments where administrative network monitoring data could reveal sensitive operational details. Organizations should prioritize patching this vulnerability through official Android security updates and consider implementing additional monitoring for unauthorized access attempts to network usage data. The flaw underscores the importance of comprehensive permission validation across all system components, particularly those handling sensitive operational data within mobile operating systems.