There exists a code execution vulnerability in the Car App Android Jetpack Library. CarAppService uses deserialization logic that allows construction of arbitrary java classes. This can lead to arbitrary code execution when combined with specific Java deserialization gadgets. An attacker needs to install a malicious application on victims device to be able to attack any application that uses vulnerable library. We recommend upgrading the library past version 1.7.0-beta02.
Metrics
Affected Vendors & Products
References
History
Tue, 26 Nov 2024 10:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | There exists a code execution vulnerability in the Car App Android Jetpack Library. In the CarAppService desrialization logic is used that allows for arbitrary java classes to be constructed. In combination with other gadgets, this can lead to arbitrary code execution. An attacker needs to have an app on a victims Android device that uses the CarAppService Class and the victim would need to install a malicious app alongside it. We recommend upgrading the library past versionĀ 1.7.0-beta02 | There exists a code execution vulnerability in the Car App Android Jetpack Library. CarAppService uses deserialization logic that allows construction of arbitrary java classes. This can lead to arbitrary code execution when combined with specific Java deserialization gadgets. An attacker needs to install a malicious application on victims device to be able to attack any application that uses vulnerable library. We recommend upgrading the library past version 1.7.0-beta02. |
Wed, 20 Nov 2024 17:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Google
Google android |
|
Weaknesses | CWE-94 | |
CPEs | cpe:2.3:o:google:android:-:*:*:*:*:*:*:* | |
Vendors & Products |
Google
Google android |
|
Metrics |
cvssV3_1
|
Wed, 20 Nov 2024 10:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | There exists a code execution vulnerability in the Car App Android Jetpack Library. In the CarAppService desrialization logic is used that allows for arbitrary java classes to be constructed. In combination with other gadgets, this can lead to arbitrary code execution. An attacker needs to have an app on a victims Android device that uses the CarAppService Class and the victim would need to install a malicious app alongside it. We recommend upgrading the library past versionĀ 1.7.0-beta02 | |
Title | Arbitrary Code execution in Car App Android Jetpack Library | |
Weaknesses | CWE-502 | |
References |
| |
Metrics |
cvssV4_0
|
MITRE
Status: PUBLISHED
Assigner: Google
Published: 2024-11-20T10:21:20.473Z
Updated: 2024-12-18T12:53:54.959Z
Reserved: 2024-10-25T09:41:37.387Z
Link: CVE-2024-10382
Vulnrichment
Updated: 2024-11-20T16:53:04.607Z
NVD
Status : Awaiting Analysis
Published: 2024-11-20T11:15:04.280
Modified: 2024-11-26T11:21:57.823
Link: CVE-2024-10382
Redhat
No data.