CVE-2024-21633

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-21633
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-21633.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-21633
Aliases
  • GHSA-2hqv-2xv4-5h5w
Related
Published
2024-01-03T17:15:13Z
Modified
2024-11-28T23:48:28.473849Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Apktool is a tool for reverse engineering Android APK files. In versions 2.9.1 and prior, Apktool infers resource files' output path according to their resource names which can be manipulated by attacker to place files at desired location on the system Apktool runs on. Affected environments are those in which an attacker may write/overwrite any file that user has write access, and either user name is known or cwd is under user folder. Commit d348c43b24a9de350ff6e5bd610545a10c1fc712 contains a patch for this issue.

References

Affected packages

Debian:11 / apktool

Package

Name
apktool
Purl
pkg:deb/debian/apktool?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.5.0+dfsg.1-2
2.6.1+dfsg.1-1
2.6.1+dfsg.1-2
2.7.0+dfsg-1
2.7.0+dfsg-2
2.7.0+dfsg-3
2.7.0+dfsg-4
2.7.0+dfsg-5
2.7.0+dfsg-6
2.7.0+dfsg-7

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / apktool

Package

Name
apktool
Purl
pkg:deb/debian/apktool?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.7.0+dfsg-6+deb12u1

Affected versions

2.*

2.7.0+dfsg-6

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / apktool

Package

Name
apktool
Purl
pkg:deb/debian/apktool?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.7.0+dfsg-7

Affected versions

2.*

2.7.0+dfsg-6

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/ibotpeaches/apktool

Affected ranges

Type
GIT
Repo
https://github.com/ibotpeaches/apktool
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

v0.*

v0.9.2

v1.*

v1.0.0
v1.1.0
v1.1.1
v1.2.0
v1.3.0
v1.3.1
v1.3.2
v1.4.0
v1.4.1
v1.4.2
v1.4.3
v1.5.1
v1.5.2

v2.*

v2.0.0
v2.0.0-RC2
v2.0.0-RC3
v2.0.0-RC4
v2.0.1
v2.0.2
v2.0.3
v2.1.0
v2.1.1
v2.2.0
v2.2.1
v2.2.2
v2.2.3
v2.2.4
v2.3.0
v2.3.1
v2.3.2
v2.3.3
v2.3.4
v2.4.0
v2.4.1
v2.5.0
v2.6.0
v2.6.1
v2.7.0
v2.8.0
v2.8.1
v2.9.0
v2.9.1