Path traversal in Play Core Library - CVE-2020-8913

 

Path traversal in Play Core Library - CVE-2020-8913

Published: August 12, 2020 / Updated: December 4, 2020


Vulnerability identifier: #VU48781
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2020-8913
CWE-ID: CWE-22
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Google
Affected software:
Play Core Library

Detailed vulnerability description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to input validation error when processing directory traversal sequences inside apk files in Android's Play Core Library within the SplitCompat.install endpoint. A remote attacker can create a specially crafted APK file that targets a specific application, trick the victim into installing that APK and gain full access to the targeted application.

Successful exploitation of the vulnerability may allow an attacker to compromise the affected system but requires that the victim willingly installs a malicious application.


How to mitigate CVE-2020-8913

Install update from vendor's website.

Sources