Lucene search

[email protected]NVD:CVE-2023-44128

HistorySep 27, 2023 - 3:19 p.m.

CVE-2023-44128

2023-09-2715:19:37

CWE-367

[email protected]

web.nvd.nist.gov

cve-2023-44128

lginstallservice

aidl interface

signature validation

file deletion

CVSS3

3.6

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L

AI Score

5.2

Confidence

High

EPSS

0.001

Percentile

21.1%

JSON

he vulnerability is to delete arbitrary files in LGInstallService (“com.lge.lginstallservies”) app. The app contains the exported “com.lge.lginstallservies.InstallService” service that exposes an AIDL interface. All its “installPackage*” methods are finally calling the “installPackageVerify()” method that performs signature validation after the delete file method. An attacker can control conditions so this security check is never performed and an attacker-controlled file is deleted.

Affected configurations

Nvd

Node

googleandroidRange4.0–13.0

AND

lgv60_thin_q_5gMatch-

VendorProductVersionCPE
googleandroid*cpe:2.3:o:google:android:*:*:*:*:*:*:*:*
lgv60_thin_q_5g-cpe:2.3:h:lg:v60_thin_q_5g:-:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
google	android	*	cpe:2.3:o:google:android::::::::
lg	v60_thin_q_5g	-	cpe:2.3:h:lg:v60_thin_q_5g:-:::::::*

References

lgsecurity.lge.com/bulletins/mobile#updateDetails

CVSS3

3.6

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L

AI Score

5.2

Confidence

High

EPSS

0.001

Percentile

21.1%

JSON

Related for NVD:CVE-2023-44128

cvelist1 vulnrichment1 prion1 cve1