Remote code execution in Google Play Core Library
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2020-8913 |
| CWE-ID | CWE-22 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Play Core Library Mobile applications / Libraries for mobile applications |
| Vendor |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Path traversal
EUVDB-ID: #VU48781
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-8913
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to input validation error when processing directory traversal sequences inside apk files in Android's Play Core Library within the SplitCompat.install endpoint. A remote attacker can create a specially crafted APK file that targets a specific application, trick the victim into installing that APK and gain full access to the targeted application.
Successful exploitation of the vulnerability may allow an attacker to compromise the affected system but requires that the victim willingly installs a malicious application.
Install update from vendor's website.
Vulnerable software versionsPlay Core Library: 1.3.6 - 1.7.1
External linkshttp://blog.oversecured.com/Oversecured-automatically-discovers-persistent-code-execution-in-the-Google-Play-Core-Library/
http://developer.android.com/reference/com/google/android/play/core/release-notes#1-7-2
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
