CVE-2022-20458

Name of the Vulnerable Software and Affected Versions Android versions prior to Android-12L

Description The issue concerns the logging of sensitive information, such as personally identifiable information (PII) or hardware identifiers, in Android builds. Specifically, the StatusBarNotification.getKey() function could contain sensitive information. However, in the CarNotificationListener.java file, this sensitive information is printed directly to logs in Android "user" builds, potentially exposing users' account names. This behavior is not in line with the expected practice of only printing such sensitive information in "userdebug" or "eng" builds.

Recommendations For Android versions prior to Android-12L, consider restricting or disabling the logging functionality in CarNotificationListener.java to prevent the exposure of sensitive information. As a temporary workaround, avoid using the StatusBarNotification.getKey() function in logs until a proper fix is implemented.