CVE-2024-10382 — HIGH (7.5)

Q: How severe is CVE-2024-10382?

CVE-2024-10382 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2024-10382?

Check the references section above for vendor advisories and patch information. Affected products include: Google Androidx.Car.App.

Vulnerability Description

There exists a code execution vulnerability in the Car App Android Jetpack Library. CarAppService uses deserialization logic that allows construction of arbitrary java classes. This can lead to arbitrary code execution when combined with specific Java deserialization gadgets. An attacker needs to install a malicious application on victims device to be able to attack any application that uses vulnerable library. We recommend upgrading the library past version 1.7.0-beta02.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Google	Androidx.Car.App	<= 1.4.0

Related Weaknesses (CWE)

CWE-94 CWE-502

References

https://developer.android.com/jetpack/androidx/releases/car-app#1.7.0-beta03Release Notes

FAQ

What is CVE-2024-10382?

CVE-2024-10382 is a vulnerability with a CVSS score of 7.5 (HIGH). There exists a code execution vulnerability in the Car App Android Jetpack Library. CarAppService uses deserialization logic that allows construction of arbitrary java classes. This can lead to arbitr...

How severe is CVE-2024-10382?

CVE-2024-10382 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-10382?

Check the references section above for vendor advisories and patch information. Affected products include: Google Androidx.Car.App.