Lucene search

GitHub_MCVELIST:CVE-2021-21386

HistoryMar 24, 2021 - 8:55 p.m.

CVE-2021-21386 Improper Neutralization of Argument Delimiters in a Decompiling Package Process

2021-03-2420:55:14

CWE-88

CWE-78

GitHub_M

www.cve.org

cve-2021-21386

decompiling package process

apkleaks

remote attackers

arbitrary os commands

application manifest

sensitive data

unintended behavior

CVSS3

9.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

AI Score

9.9

Confidence

High

EPSS

0.003

Percentile

71.1%

JSON

APKLeaks is an open-source project for scanning APK file for URIs, endpoints & secrets. APKLeaks prior to v2.0.3 allows remote attackers to execute arbitrary OS commands via package name inside application manifest. An attacker could include arguments that allow unintended commands or code to be executed, allow sensitive data to be read or modified or could cause other unintended behavior through malicious package name. The problem is fixed in version v2.0.6-dev and above.

CNA Affected

[
  {
    "product": "apkleaks",
    "vendor": "dwisiswant0",
    "versions": [
      {
        "status": "affected",
        "version": "< 2.0.6-dev"
      }
    ]
  }
]

References

github.com/dwisiswant0/apkleaks/commit/a966e781499ff6fd4eea66876d7532301b13a382

github.com/dwisiswant0/apkleaks/security/advisories/GHSA-8434-v7xw-8m9x

CVSS3

9.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

AI Score

9.9

Confidence

High

EPSS

0.003

Percentile

71.1%

JSON

Related for CVELIST:CVE-2021-21386