CVE Vulnerability

CVE-2021-21386

APKLeaks is an open-source project for scanning APK file for URIs, endpoints & secrets. APKLeaks prior to v2.0.3 allows remote attackers to execute arbitrary OS commands via package name inside application manifest. An attacker could include arguments that allow unintended commands or code to be executed, allow sensitive data to be read or modified or could cause other unintended behavior through malicious package name. The problem is fixed in version v2.0.6-dev and above.

10 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 10 / Impact : 10

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

Scope

9.8 /10

CVSS v3.0 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/dwisiswant0/apkleaks/security/advisories/GHSA-8434-v7xw-8m9x Patch Third Party Advisory
https://github.com/dwisiswant0/apkleaks/commit/a966e781499ff6fd4eea66876d7532301b13a382 Patch Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:apkleaks_project:apkleaks:*:*:*:*:*:*:*:*
Information

Published : 2021-03-24 09:15

Updated : 2021-03-27 01:48

NVD link : CVE-2021-21386

Mitre link : CVE-2021-21386

Products Affected
No products.
CWE
CWE-78

CWE-88