Improper Neutralization of Special Elements in Output Used by a Downstream Component in Google Android - CVE-2014-7952
Published: January 12, 2018 / Updated: August 8, 2020
Vulnerability identifier: #VU37671
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2014-7952
CWE-ID: CWE-74
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Google
Affected software:
Google Android
Google Android
Detailed vulnerability description
The vulnerability allows a local authenticated user to execute arbitrary code.
The backup mechanism in the adb tool in Android might allow attackers to inject additional applications (APKs) and execute arbitrary code by leveraging failure to filter application data streams.
How to mitigate CVE-2014-7952
Install update from vendor's website.
Sources
- http://packetstormsecurity.com/files/132645/ADB-Backup-APK-Injection.html
- http://seclists.org/fulldisclosure/2015/Jul/46
- http://www.search-lab.hu/about-us/news/110-android-adb-backup-apk-injection-vulnerability
- http://www.securityfocus.com/archive/1/535980/100/0/threaded
- http://www.securityfocus.com/bid/75705
- https://github.com/irsl/ADB-Backup-APK-Injection/