CVE-2024-10382

There exists a code execution vulnerability in the Car App Android Jetpack Library. CarAppService uses deserialization logic that allows construction of arbitrary java classes. This can lead to arbitrary code execution when combined with specific Java deserialization gadgets. An attacker needs to install a malicious application on victims device to be able to attack any application that uses vulnerable library. We recommend upgrading the library past version 1.7.0-beta02.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 0.8 / Impact : 6.0

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://developer.android.com/jetpack/androidx/releases/car-app#1.7.0-beta03

Configurations

No configuration.

History

26 Nov 2024, 11:21

Type	Values Removed	Values Added
Summary	(en) There exists a code execution vulnerability in the Car App Android Jetpack Library. In the CarAppService desrialization logic is used that allows for arbitrary java classes to be constructed. In combination with other gadgets, this can lead to arbitrary code execution. An attacker needs to have an app on a victims Android device that uses the CarAppService Class and the victim would need to install a malicious app alongside it. We recommend upgrading the library past version 1.7.0-beta02	(en) There exists a code execution vulnerability in the Car App Android Jetpack Library. CarAppService uses deserialization logic that allows construction of arbitrary java classes. This can lead to arbitrary code execution when combined with specific Java deserialization gadgets. An attacker needs to install a malicious application on victims device to be able to attack any application that uses vulnerable library. We recommend upgrading the library past version 1.7.0-beta02.

21 Nov 2024, 13:57

Type	Values Removed	Values Added
Summary		(es) Existe una vulnerabilidad de ejecución de código en Car App Android Jetpack Library. En CarAppService se utiliza una lógica de desrialización que permite construir clases Java arbitrarias. En combinación con otros dispositivos, esto puede provocar la ejecución de código arbitrario. Un atacante debe tener una aplicación en el dispositivo Android de la víctima que utilice la clase CarAppService y la víctima debe instalar una aplicación maliciosa junto con ella. Recomendamos actualizar la librería a una versión superior a la 1.7.0-beta02

20 Nov 2024, 17:35

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
CWE		CWE-94

20 Nov 2024, 11:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-11-20 11:15

Updated : 2024-11-26 11:21

NVD link : CVE-2024-10382

Mitre link : CVE-2024-10382

CVE.ORG link : CVE-2024-10382

JSON object : View

Products Affected

No product.

CWE

CWE-502

Deserialization of Untrusted Data

CWE-94

Improper Control of Generation of Code ('Code Injection')

7.5 /10