CVE-2024-10382

Опубликовано: 20 нояб. 2024

Источник: nvd

CVSS3: 7.5

EPSS Низкий

Описание

There exists a code execution vulnerability in the Car App Android Jetpack Library. CarAppService uses deserialization logic that allows construction of arbitrary java classes. This can lead to arbitrary code execution when combined with specific Java deserialization gadgets. An attacker needs to install a malicious application on victims device to be able to attack any application that uses vulnerable library. We recommend upgrading the library past version 1.7.0-beta02.

Ссылки

https://developer.android.com/jetpack/androidx/releases/car-app#1.7.0-beta03
Release Notes

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:google:androidx.car.app:*:*:*:*:*:*:*:*

Версия до 1.4.0 (включая)

cpe:2.3:a:google:androidx.car.app:1.7.0:alpha01:*:*:*:*:*:*

cpe:2.3:a:google:androidx.car.app:1.7.0:alpha02:*:*:*:*:*:*

cpe:2.3:a:google:androidx.car.app:1.7.0:beta01:*:*:*:*:*:*

EPSS

Процентиль: 16%

0.00051

Низкий

7.5 High

CVSS3

Дефекты

CWE-502

CWE-94

Связанные уязвимости

GHSA-pq4w-jf35-7pmx

CVSS3: 7.5

github

около 1 года назад

There exists a code execution vulnerability in the Car App Android Jetpack Library. In the CarAppService desrialization logic is used that allows for arbitrary java classes to be constructed. In combination with other gadgets, this can lead to arbitrary code execution. An attacker needs to have an app on a victims Android device that uses the CarAppService Class and the victim would need to install a malicious app alongside it. We recommend upgrading the library past version 1.7.0-beta02

EPSS

Процентиль: 16%

0.00051

Низкий

7.5 High

CVSS3

Дефекты

CWE-502

CWE-94