There exists a code execution vulnerability in the Car App Android Jetpack Library. CarAppService uses deserialization logic that allows construction of arbitrary java classes. This can lead to arbitrary code execution when combined with specific Java deserialization gadgets. An attacker needs to install a malicious application on victims device to be able to attack any application that uses vulnerable library. We recommend upgrading the library past version 1.7.0-beta02.
History

Tue, 26 Nov 2024 10:30:00 +0000

Type Values Removed Values Added
Description There exists a code execution vulnerability in the Car App Android Jetpack Library. In the CarAppService desrialization logic is used that allows for arbitrary java classes to be constructed. In combination with other gadgets, this can lead to arbitrary code execution. An attacker needs to have an app on a victims Android device that uses the CarAppService Class and the victim would need to install a malicious app alongside it. We recommend upgrading the library past versionĀ 1.7.0-beta02 There exists a code execution vulnerability in the Car App Android Jetpack Library. CarAppService uses deserialization logic that allows construction of arbitrary java classes. This can lead to arbitrary code execution when combined with specific Java deserialization gadgets. An attacker needs to install a malicious application on victims device to be able to attack any application that uses vulnerable library. We recommend upgrading the library past version 1.7.0-beta02.

Wed, 20 Nov 2024 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google android
Weaknesses CWE-94
CPEs cpe:2.3:o:google:android:-:*:*:*:*:*:*:*
Vendors & Products Google
Google android
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 20 Nov 2024 10:30:00 +0000

Type Values Removed Values Added
Description There exists a code execution vulnerability in the Car App Android Jetpack Library. In the CarAppService desrialization logic is used that allows for arbitrary java classes to be constructed. In combination with other gadgets, this can lead to arbitrary code execution. An attacker needs to have an app on a victims Android device that uses the CarAppService Class and the victim would need to install a malicious app alongside it. We recommend upgrading the library past versionĀ 1.7.0-beta02
Title Arbitrary Code execution in Car App Android Jetpack Library
Weaknesses CWE-502
References
Metrics cvssV4_0

{'score': 7.3, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/S:N/AU:N/R:U/V:C/RE:M/U:Amber'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Google

Published: 2024-11-20T10:21:20.473Z

Updated: 2024-12-18T12:53:54.959Z

Reserved: 2024-10-25T09:41:37.387Z

Link: CVE-2024-10382

cve-icon Vulnrichment

Updated: 2024-11-20T16:53:04.607Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-11-20T11:15:04.280

Modified: 2024-11-26T11:21:57.823

Link: CVE-2024-10382

cve-icon Redhat

No data.