Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2024-10382

Severity CVSS v4.0:
HIGH
Type:
CWE-502 Deserialization of Untrusted Dat
Publication date:
20/11/2024
Last modified:
04/08/2025

Description

There exists a code execution vulnerability in the Car App Android Jetpack Library. CarAppService uses deserialization logic that allows construction of arbitrary java classes. This can lead to arbitrary code execution when combined with specific Java deserialization gadgets. An attacker needs to install a malicious application on victims device to be able to attack any application that uses vulnerable library. We recommend upgrading the library past version 1.7.0-beta02.

Impact

Vector 4.0
CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/S:N/AU:N/R:U/V:C/RE:M/U:Amber CVSS v4.0 Severity and Metrics:

Base Score: 7.30 HIGH
Vector: CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/S:N/AU:N/R:U/V:C/RE:M/U:Amber

Attack Vector (AV): Local
Attack Complexity (AC): High
Attack Requirements (AT): Present
Privileges Required (PR): Low
User Interaction (UI): Passsive
Confidentiality (VC): High
Integrity (VI): High
Availability (VA): High
Confidentiality (SC): High
Integrity (SI): High
Availability (SA): High
Safety (S): Negligible
Automatable (AU): No
Recovery (R): User
Value Density (V): Concentrated
Vulnerability Response Effort (RE): Moderate
Provider Urgency (U): Amber

Base Score 4.0
7.30
Severity 4.0
HIGH
Vector 3.x
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H CVSS v3.1 Severity and Metrics:

Base Score: 7.50 HIGH
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

Attack Vector (AV): Local
Attack Complexity (AC): High
Privileges Required (PR): Low
User Interaction (UI): Required
Scope (S): Changed
Confidentiality (C): High
Integrity (I): High
Availability (A): High

Base Score 3.x
7.50
Severity 3.x
HIGH

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:google:androidx.car.app:*:*:*:*:*:*:*:* 1.4.0 (including)
cpe:2.3:a:google:androidx.car.app:1.7.0:alpha01:*:*:*:*:*:*
cpe:2.3:a:google:androidx.car.app:1.7.0:alpha02:*:*:*:*:*:*
cpe:2.3:a:google:androidx.car.app:1.7.0:beta01:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools