{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-36938", "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827", "assignerShortName": "facebook", "dateUpdated": "2025-05-01T13:48:31.983Z", "dateReserved": "2022-07-27T00:00:00.000Z", "datePublished": "2022-11-10T00:00:00.000Z"}, "containers": {"cna": {"dateAssigned": "2022-11-10T00:00:00.000Z", "providerMetadata": {"orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827", "shortName": "facebook", "dateUpdated": "2022-11-10T00:00:00.000Z"}, "descriptions": [{"lang": "en", "value": "DexLoader function get_stringidx_fromdex() in Redex prior to commit 3b44c64 can load an out of bound address when loading the string index table, potentially allowing remote code execution during processing of a 3rd party Android APK file."}], "affected": [{"vendor": "Facebook", "product": "Redex", "versions": [{"version": "unspecified", "lessThan": "3b44c64", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://github.com/facebook/redex/commit/3b44c640346b77bfb7ef36e2413688dd460288d2"}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-125: Out-of-bounds Read, CWE-822: Untrusted Pointer Dereference", "cweId": "CWE-125"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T10:21:31.918Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/facebook/redex/commit/3b44c640346b77bfb7ef36e2413688dd460288d2", "tags": ["x_transferred"]}]}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-05-01T13:48:18.329372Z", "id": "CVE-2022-36938", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-01T13:48:31.983Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/facebook/redex/commit/3b44c640346b77bfb7ef36e2413688dd460288d2", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T10:21:31.918Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2022-36938", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-05-01T13:48:18.329372Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-01T13:48:28.485Z"}}], "cna": {"affected": [{"vendor": "Facebook", "product": "Redex", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "3b44c64", "versionType": "custom"}]}], "references": [{"url": "https://github.com/facebook/redex/commit/3b44c640346b77bfb7ef36e2413688dd460288d2"}], "dateAssigned": "2022-11-10T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "DexLoader function get_stringidx_fromdex() in Redex prior to commit 3b44c64 can load an out of bound address when loading the string index table, potentially allowing remote code execution during processing of a 3rd party Android APK file."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-125", "description": "CWE-125: Out-of-bounds Read, CWE-822: Untrusted Pointer Dereference"}]}], "providerMetadata": {"orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827", "shortName": "facebook", "dateUpdated": "2022-11-10T00:00:00.000Z"}}}, "cveMetadata": {"cveId": "CVE-2022-36938", "state": "PUBLISHED", "dateUpdated": "2025-05-01T13:48:31.983Z", "dateReserved": "2022-07-27T00:00:00.000Z", "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827", "datePublished": "2022-11-10T00:00:00.000Z", "assignerShortName": "facebook"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:facebook:redex:*:*:*:*:*:*:*:*", "matchCriteriaId": "E83BD5C5-67EF-4EBA-8ADC-9A69E639D817", "versionEndExcluding": "2022-11-04", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "DexLoader function get_stringidx_fromdex() in Redex prior to commit 3b44c64 can load an out of bound address when loading the string index table, potentially allowing remote code execution during processing of a 3rd party Android APK file."}, {"lang": "es", "value": "La funci\u00f3n DexLoader get_stringidx_fromdex() en Redex antes del commit 3b44c64 puede cargar una direcci\u00f3n fuera de l\u00edmite al cargar la tabla de \u00edndice de cadenas, lo que potencialmente permite la ejecuci\u00f3n remota de c\u00f3digo durante el procesamiento de un archivo APK de Android de terceros."}], "id": "CVE-2022-36938", "lastModified": "2025-05-01T14:15:25.820", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2022-11-11T00:15:10.193", "references": [{"source": "cve-assign@fb.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/facebook/redex/commit/3b44c640346b77bfb7ef36e2413688dd460288d2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/facebook/redex/commit/3b44c640346b77bfb7ef36e2413688dd460288d2"}], "sourceIdentifier": "cve-assign@fb.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "cve-assign@fb.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-1284"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}