CVE-2024-43093

Description

In shouldHideDocument of ExternalStorageProvider.java, there is a possible bypass of a file path filter designed to prevent access to sensitive directories due to incorrect unicode normalization. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.

CVSS v3.1 Score

7.3

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CISA Known Exploited Vulnerability

This vulnerability is actively exploited in the wild.

Added: Nov 7, 2024 Remediation due: Nov 28, 2024

Weakness Type (CWE)

CWE-176 CWE-176

Affected Products

Vendor	Product	Versions
google	android	All
google	android	All
google	android	All
google	android	All
google	android	All

References

Advisories & Patches

https://android.googlesource.com/platform/frameworks/base/+/7f83c671626f9bf993581f4598c22482d87cba10 https://source.android.com/security/bulletin/2025-03-01

Other References

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-43093

Frequently Asked Questions

What is CVE-2024-43093? +

In shouldHideDocument of ExternalStorageProvider.java, there is a possible bypass of a file path filter designed to prevent access to sensitive directories due to incorrect unicode normalization. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. It has a CVSS v3.1 base score of 7.3 (HIGH). This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild.

How severe is CVE-2024-43093? +

CVE-2024-43093 has a CVSS v3.1 score of 7.3 out of 10, rated HIGH. This is a high-severity vulnerability that should be prioritized for patching.

What products are affected by CVE-2024-43093? +

CVE-2024-43093 affects products from google, specifically: android. Check the affected products table above for specific version ranges.

How do I check if I'm vulnerable to CVE-2024-43093? +

You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2024-8067

In versions of Helix Core prior to 2024.1 Patch 2 (2024.1/2655224) a Windows ANSI API Unicode "best fit" argument injection …

CVE-2024-47611

XZ Utils provide a general-purpose data-compression library plus command-line tools. When built for native Windows (MinGW-w64 or MSVC), the command …

CVE-2017-20190

Some Microsoft technologies as used in Windows 8 through 11 allow a temporary client-side performance degradation during processing of multiple …

CVE-2024-24691 9.6

Improper input validation in Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom Meeting SDK for Windows …

CVE-2026-7040 7.5

Text::Minify::XS versions from 0.3.0 before 0.7.8 for Perl have a heap overflow when processing some malformed UTF-8 characters. The minify …

CVE-2025-55129 5.4

HackerOne community member Kassem S.(kassem_s94) has reported that username handling in Revive Adserver was still vulnerable to impersonation attacks after …