Car App Android Jetpack Lib v1.7.0-beta02 Deser CVE-2024-10382 Code Exec
CVE-2024-10382 Published on November 20, 2024
Arbitrary Code execution in Car App Android Jetpack Library
There exists a code execution vulnerability in the Car App Android Jetpack Library. CarAppService uses deserialization logic that allows construction of arbitrary java classes. This can lead to arbitrary code execution when combined with specific Java deserialization gadgets. An attacker needs to install a malicious application on victims device to be able to attack any application that uses vulnerable library. We recommend upgrading the library past version 1.7.0-beta02.
Vulnerability Analysis
CVE-2024-10382 is exploitable with local system access, requires user interaction and a small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Types
What is a Marshaling, Unmarshaling Vulnerability?
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
CVE-2024-10382 has been classified to as a Marshaling, Unmarshaling vulnerability or weakness.
What is a Code Injection Vulnerability?
The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CVE-2024-10382 has been classified to as a Code Injection vulnerability or weakness.
Products Associated with CVE-2024-10382
stack.watch emails you whenever new vulnerabilities are published in Google Car or Google Androidx Car App. Just hit a watch button to start following.
Affected Versions
Google Android:- Version 1.4.0 and below 1.7.0-beta02 is affected.
- Version 1.4.0 and below 1.7.0-beta02 is affected.
- Version 1.4.0 and below 1.7.0-beta02 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.