CVE-2023-51006

Vulnerability

The Android application "Chinese Perpetual Calendar" (package cn.etouch.ecalendar) version 9.0.0 exposes a ContentProvider named WidgetSkinProvider (authority cn.etouch.ecalendar.cacheprovider) with android:exported="true". The openFile method in this provider takes the path from the incoming URI directly via uri.getPath() and opens it with ParcelFileDescriptor.open(new File(path), ...), performing no validation or filtering. This allows any app on the device to request a URI with an arbitrary file path and read the corresponding file from the device's filesystem [1].

Exploitation

An attacker does not need special permissions beyond the ability to interact with the exposed ContentProvider (any third-party app installed on the device can do so). The attacker crafts a content://cn.etouch.ecalendar.cacheprovider/ URI with a path pointing to a target file (e.g., /data/data/cn.etouch.ecalendar/shared_prefs/eCalendarSync.xml containing user tokens). By calling ContentResolver.openInputStream() on this URI, the attacker obtains the file contents [1].

Impact

Successful exploitation enables an attacker to read arbitrarily chosen files on the device, including sensitive user data such as shared preferences files containing user UIDs, tokens, or other private information. This constitutes a high-severity information disclosure vulnerability (CVSS 7.5) with confidentiality impact, as no authentication or user interaction is required beyond having a malicious app installed [1].

Mitigation

As of the reference publication date (2023-12-28), no fix has been released for CVE-2023-51006. The vendor should implement input validation on the URI path within the openFile method, restrict the provider to internal use (e.g., set android:exported="false"), or use a proper file provider with predefined paths. Users should avoid granting unnecessary permissions to the application or consider replacing it until a patched version is available [1].