CVE Record: CVE-2024-10382

alert

Notice: Keyword searching of CVE Records is now available in the search box above. Keywords may include a CVE ID (e.g., CVE-2024-1234), or one or more keywords separated by a space (e.g., authorization, SQL Injection, cross site scripting, etc.). Learn more here.

alert

Notice: Keyword searching of CVE Records is now available in the search box above. Keywords may include a CVE ID (e.g., CVE-2024-1234), or one or more keywords separated by a space (e.g., authorization, SQL Injection, cross site scripting, etc.). Learn more here.

Expand or collapse notification button

Required CVE Record Information

Description

There exists a code execution vulnerability in the Car App Android Jetpack Library. CarAppService uses deserialization logic that allows construction of arbitrary java classes. This can lead to arbitrary code execution when combined with specific Java deserialization gadgets. An attacker needs to install a malicious application on victims device to be able to attack any application that uses vulnerable library. We recommend upgrading the library past version 1.7.0-beta02.

CWE 1 Total

CWE-502: CWE-502 Deserialization of Untrusted Data

CVSS 1 Total

Product Status

Versions 1 Total

Default Status: unaffected

affected

Credits

Khanh Pham of Calif Hacking Team finder
Linh Le of Calif Hacking Team finder

References 1 Total

https://developer.android.com/jetpack/androidx/releases/car-app#1.7.0-beta03
external site

Authorized Data Publishers