CVE-2024-10382 — Deserialization of Untrusted Data in Google Android

CWE-502 — Deserialization of Untrusted Data CWE-94 — Code Injection2 documents2 sources

Severity

7.3HIGHNVD

EPSS

0.1%

top 84.08%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Google Android Google Androidx.car.app

Timeline

PublishedNov 20

Description

There exists a code execution vulnerability in the Car App Android Jetpack Library. CarAppService uses deserialization logic that allows construction of arbitrary java classes. This can lead to arbitrary code execution when combined with specific Java deserialization gadgets. An attacker needs to install a malicious application on victims device to be able to attack any application that uses vulnerable library. We recommend upgrading the library past version 1.7.0-beta02.

CVSS vector

CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/S:N

Affected Packages2 packages

▶CVEListV5google/android1.4.0 — 1.7.0-beta02

▶NVDgoogle/androidx.car.app1.4.0+1

🔴Vulnerability Details

GHSA

GHSA-pq4w-jf35-7pmx: There exists a code execution vulnerability in the Car App Android Jetpack Library↗2024-11-20

▶