Vulnerability Description
he vulnerability is to delete arbitrary files in LGInstallService ("com.lge.lginstallservies") app. The app contains the exported "com.lge.lginstallservies.InstallService" service that exposes an AIDL interface. All its "installPackage*" methods are finally calling the "installPackageVerify()" method that performs signature validation after the delete file method. An attacker can control conditions so this security check is never performed and an attacker-controlled file is deleted.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Android | >= 4.0, <= 13.0 | |
| Lg | V60 Thin Q 5G | - |
Related Weaknesses (CWE)
References
- https://lgsecurity.lge.com/bulletins/mobile#updateDetailsVendor Advisory
- https://lgsecurity.lge.com/bulletins/mobile#updateDetailsVendor Advisory
FAQ
What is CVE-2023-44128?
CVE-2023-44128 is a vulnerability with a CVSS score of 5.0 (MEDIUM). he vulnerability is to delete arbitrary files in LGInstallService ("com.lge.lginstallservies") app. The app contains the exported "com.lge.lginstallservies.InstallService" service that exposes an AIDL...
How severe is CVE-2023-44128?
CVE-2023-44128 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-44128?
Check the references section above for vendor advisories and patch information. Affected products include: Google Android, Lg V60 Thin Q 5G.