Lucene search

[email protected]NVD:CVE-2024-43399

HistoryAug 19, 2024 - 3:15 p.m.

CVE-2024-43399

2024-08-1915:15:09

CWE-23

CWE-22

[email protected]

web.nvd.nist.gov

mobsf

static libraries

zip slip

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

38.4%

JSON

Mobile Security Framework (MobSF) is a pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. Before 4.0.7, there is a flaw in the Static Libraries analysis section. Specifically, during the extraction of .a extension files, the measure intended to prevent Zip Slip attacks is improperly implemented. Since the implemented measure can be bypassed, the vulnerability allows an attacker to extract files to any desired location within the server running MobSF. This vulnerability is fixed in 4.0.7.

Affected configurations

Nvd

Node

opensecuritymobile_security_frameworkRange<4.0.7

VendorProductVersionCPE
opensecuritymobile_security_framework*cpe:2.3:a:opensecurity:mobile_security_framework:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
opensecurity	mobile_security_framework	*	cpe:2.3:a:opensecurity:mobile_security_framework::::::::

References

github.com/MobSF/Mobile-Security-Framework-MobSF/commit/cc625fe8430f3437a473e82aa2966d100a4dc883

github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-4hh3-vj32-gr6j

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

38.4%

JSON

Related for NVD:CVE-2024-43399

cvelist1 github1 veracode1 osv2 vulnrichment1 cve1