GHSA-8434-V7XW-8M9X

Vulnerability from github – Published: 2022-01-21 23:03 – Updated: 2022-05-27 22:48
VLAI
Summary
Improper Neutralization of Argument Delimiters in a Decompiling Package Process in APKLeaks
Details

APKLeaks prior to v2.0.4 allows remote authenticated attackers to execute arbitrary OS commands via package name inside the application manifest.

Impact

An authenticated attacker could include arguments that allow unintended commands or code to be executed, allow sensitive data to be read or modified, or could cause other unintended behavior through malicious package names.

References

  • a966e781499ff6fd4eea66876d7532301b13a382

For more information

If you have any questions or comments about this advisory: * Email me at me@dw1.io

Severity
9.3 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "APKLeaks"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-21386"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-78",
      "CWE-88"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-01-21T21:03:01Z",
    "nvd_published_at": "2021-03-24T21:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "APKLeaks prior to v2.0.4 allows remote authenticated attackers to execute arbitrary OS commands via package name inside the application manifest.\n\n### Impact\n\nAn authenticated attacker could include arguments that allow unintended commands or code to be executed, allow sensitive data to be read or modified, or could cause other unintended behavior through malicious package names.\n\n\n### References\n\n- a966e781499ff6fd4eea66876d7532301b13a382\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Email me at [me@dw1.io](mailto:me@dw1.io)\n",
  "id": "GHSA-8434-v7xw-8m9x",
  "modified": "2022-05-27T22:48:38Z",
  "published": "2022-01-21T23:03:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/dwisiswant0/apkleaks/security/advisories/GHSA-8434-v7xw-8m9x"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21386"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dwisiswant0/apkleaks/commit/a966e781499ff6fd4eea66876d7532301b13a382"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/dwisiswant0/apkleaks"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Neutralization of Argument Delimiters in a Decompiling Package Process in APKLeaks"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.