Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2018-9445Path Traversal in INC Android

CWE-22Path Traversal7 documents6 sources
Severity
6.8MEDIUMNVD
EPSS
0.4%
top 40.54%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
Google INC AndroidGoogle Android
Timeline
PublishedNov 6
Latest updateMay 14

Description

In readMetadata of Utils.cpp, there is a possible path traversal bug due to a confused deputy. This could lead to local escalation of privilege when mounting a USB device with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android-6.0 Android-6.0.1 Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android ID: A-80436257.

CVSS vector

CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 0.9 | Impact: 5.9

Affected Packages2 packages

NVDgoogle/android7 versions+6
CVEListV5google_inc/androidAndroid-6.0 Android-6.0.1 Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1

Patches

Patch: source.android.comPatch: www.exploit-db.comPatch: source.android.com

🔴Vulnerability Details

3
GHSA
GHSA-xqhw-7jhx-gmrc: In readMetadata of Utils2022-05-14
CVEList
CVE-2018-9445: In readMetadata of Utils2018-11-06
Project0
OATmeal on the Universal Cereal Bus: Exploiting Android phones over USB - Project Zero2018-09-01

💥Exploits & PoCs

2
Exploit-DB
Android - 'zygote->init;' Chain from USB Privilege Escalation2018-09-11
Exploit-DB
Android - Directory Traversal over USB via Injection in blkid Output2018-08-13

📋Vendor Advisories

1
Android
CVE-2018-9445: Android Security Bulletin 2018-08-01 CVE: CVE-2018-9445 Severity: HIGH Type: EoP Affected AOSP versions: 62018-08-01
CVE-2018-9445 — Path Traversal in Google INC Android | cvebase