Vulnerability Description
APKLeaks is an open-source project for scanning APK file for URIs, endpoints & secrets. APKLeaks prior to v2.0.3 allows remote attackers to execute arbitrary OS commands via package name inside application manifest. An attacker could include arguments that allow unintended commands or code to be executed, allow sensitive data to be read or modified or could cause other unintended behavior through malicious package name. The problem is fixed in version v2.0.6-dev and above.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apkleaks Project | Apkleaks | < 2.0.3 |
Related Weaknesses (CWE)
References
- https://github.com/dwisiswant0/apkleaks/commit/a966e781499ff6fd4eea66876d7532301PatchThird Party Advisory
- https://github.com/dwisiswant0/apkleaks/security/advisories/GHSA-8434-v7xw-8m9xPatchThird Party Advisory
- https://github.com/dwisiswant0/apkleaks/commit/a966e781499ff6fd4eea66876d7532301PatchThird Party Advisory
- https://github.com/dwisiswant0/apkleaks/security/advisories/GHSA-8434-v7xw-8m9xPatchThird Party Advisory
FAQ
What is CVE-2021-21386?
CVE-2021-21386 is a vulnerability with a CVSS score of 9.3 (CRITICAL). APKLeaks is an open-source project for scanning APK file for URIs, endpoints & secrets. APKLeaks prior to v2.0.3 allows remote attackers to execute arbitrary OS commands via package name inside applic...
How severe is CVE-2021-21386?
CVE-2021-21386 has been rated CRITICAL with a CVSS base score of 9.3/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2021-21386?
Check the references section above for vendor advisories and patch information. Affected products include: Apkleaks Project Apkleaks.