#VU48781 Path traversal in Play Core Library - CVE-2020-8913
Published: August 12, 2020 / Updated: December 4, 2020
Vulnerability identifier: #VU48781
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2020-8913
CWE-ID: CWE-22
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Play Core Library
Play Core Library
Software vendor:
Google
Description
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to input validation error when processing directory traversal sequences inside apk files in Android's Play Core Library within the SplitCompat.install endpoint. A remote attacker can create a specially crafted APK file that targets a specific application, trick the victim into installing that APK and gain full access to the targeted application.
Successful exploitation of the vulnerability may allow an attacker to compromise the affected system but requires that the victim willingly installs a malicious application.
Remediation
Install update from vendor's website.