Description

A local, arbitrary code execution vulnerability exists in the SplitCompat.install endpoint in Android's Play Core Library versions prior to 1.7.2. A malicious attacker could create an apk which targets a specific application, and if a victim were to install this apk, the attacker could perform a directory traversal, execute code as the targeted application and access the targeted application's data on the Android device. We recommend all users update Play Core to version 1.7.2 or later.

Remediation

References

https://developer.android.com/reference/com/google/android/play/core/release-notes#1-7-2

https://blog.oversecured.com/Oversecured-automatically-discovers-persistent-code-execution-in-the-Google-Play-Core-Library/

Related Vulnerabilities

CVE-2022-41252 Vulnerability in maven package org.jenkins-ci.plugins:cons3rt

CVE-2021-41184 Vulnerability in npm package jquery-ui

CVE-2022-23974 Vulnerability in maven package org.apache.pinot:pinot

CVE-2018-1000401 Vulnerability in maven package org.jenkins-ci.plugins:aws-codepipeline

CVE-2023-43666 Vulnerability in maven package org.apache.inlong:manager-web

Severity

Critical

Classification

CWE-22 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Tags

Release Notes Vendor Advisory Exploit Technical Description Third Party Advisory