CVE-2024-10382

Published Nov 20, 2024

Last updated 3 months ago

CVSS high 7.3

Overview

Description
There exists a code execution vulnerability in the Car App Android Jetpack Library. CarAppService uses deserialization logic that allows construction of arbitrary java classes. This can lead to arbitrary code execution when combined with specific Java deserialization gadgets. An attacker needs to install a malicious application on victims device to be able to attack any application that uses vulnerable library. We recommend upgrading the library past version 1.7.0-beta02.
Source
cve-coordination@google.com
NVD status
Awaiting Analysis

Risk scores

CVSS 4.0

Type
Secondary
Base score
7.3
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:U/V:C/RE:M/U:Amber
Severity
HIGH

CVSS 3.1

Type
Secondary
Base score
7.5
Impact score
6
Exploitability score
0.8
Vector string
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
Severity
HIGH

Weaknesses

cve-coordination@google.com
CWE-502
134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-94

Social media

Hype score
Not currently trending

  1. CVE-2024-10382 There exists a code execution vulnerability in the Car App Android Jetpack Library. In the CarAppService desrialization logic is used that allows for arbitrary java c… https://t.co/gj2ILfth35

    @CVEnew

    20 Nov 2024

    105 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References