Description

A local, arbitrary code execution vulnerability exists in the SplitCompat.install endpoint in Android's Play Core Library versions prior to 1.7.2. A malicious attacker could create an apk which targets a specific application, and if a victim were to install this apk, the attacker could perform a directory traversal, execute code as the targeted application and access the targeted application's data on the Android device. We recommend all users update Play Core to version 1.7.2 or later.

Remediation

References

https://blog.oversecured.com/Oversecured-automatically-discovers-persistent-code-execution-in-the-Google-Play-Core-Library/

https://developer.android.com/reference/com/google/android/play/core/release-notes#1-7-2

Related Vulnerabilities

CVE-2020-14967 Vulnerability in maven package org.webjars.npm:jsrsasign

CVE-2013-1808 Vulnerability in npm package zeroclipboard

CVE-2018-21268 Vulnerability in npm package traceroute

CVE-2022-29770 Vulnerability in maven package com.xuxueli:xxl-job

CVE-2021-21641 Vulnerability in maven package org.jenkins-ci.plugins:promoted-builds

Severity

Critical

Classification

CWE-22 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Tags

Exploit Technical Description Third Party Advisory Release Notes Vendor Advisory