CVE-2024-10382
EUVD-2024-3358220.11.2024, 11:15
There exists a code execution vulnerability in the Car App Android Jetpack Library. CarAppService uses deserialization logic that allows construction of arbitrary java classes. This can lead to arbitrary code execution when combined with specific Java deserialization gadgets. An attacker needs to install a malicious application on victims device to be able to attack any application that uses vulnerable library. We recommend upgrading the library past version 1.7.0-beta02.
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| androidx.car.app | 𝑥 ≤ 1.4.0 | |
| androidx.car.app | 1.7.0:alpha01 | |
| androidx.car.app | 1.7.0:alpha02 | |
| androidx.car.app | 1.7.0:beta01 |
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
| Vendor | Product | Version | Source |
|---|---|---|---|
| android | 1.4.0 ≤ 𝑥 < 1.7.0-beta02 | ADP | |
| android | 1.4.0 ≤ 𝑥 < 1.7.0-beta02 | ADP |
Common Weakness Enumeration
- CWE-502 - Deserialization of Untrusted DataThe application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
- CWE-94 - Improper Control of Generation of Code ('Code Injection')The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.