CVE-2024-10382

{"id": "CVE-2024-10382", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 0.8}], "cvssMetricV40": [{"type": "Secondary", "source": "cve-coordination@google.com", "cvssData": {"Safety": "NEGLIGIBLE", "version": "4.0", "Recovery": "USER", "baseScore": 7.3, "Automatable": "NO", "attackVector": "LOCAL", "baseSeverity": "HIGH", "valueDensity": "CONCENTRATED", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:U/V:C/RE:M/U:Amber", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "AMBER", "userInteraction": "PASSIVE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "MODERATE", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2024-11-20T11:15:04.280", "references": [{"url": "https://developer.android.com/jetpack/androidx/releases/car-app#1.7.0-beta03", "tags": ["Release Notes"], "source": "cve-coordination@google.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "cve-coordination@google.com", "description": [{"lang": "en", "value": "CWE-502"}]}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-94"}]}], "descriptions": [{"lang": "en", "value": "There exists a code execution vulnerability in the Car App Android Jetpack Library. CarAppService uses deserialization logic that allows construction of arbitrary java classes. This can lead to arbitrary code execution when combined with specific Java deserialization gadgets. An attacker needs to install a malicious application on victims device to be able to attack any application that uses vulnerable library. We recommend upgrading the library past version 1.7.0-beta02."}, {"lang": "es", "value": "Existe una vulnerabilidad de ejecuci\u00f3n de c\u00f3digo en Car App Android Jetpack Library. En CarAppService se utiliza una l\u00f3gica de desrializaci\u00f3n que permite construir clases Java arbitrarias. En combinaci\u00f3n con otros dispositivos, esto puede provocar la ejecuci\u00f3n de c\u00f3digo arbitrario. Un atacante debe tener una aplicaci\u00f3n en el dispositivo Android de la v\u00edctima que utilice la clase CarAppService y la v\u00edctima debe instalar una aplicaci\u00f3n maliciosa junto con ella. Recomendamos actualizar la librer\u00eda a una versi\u00f3n superior a la 1.7.0-beta02"}], "lastModified": "2025-08-04T14:11:53.267", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:google:androidx.car.app:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C3204134-C84B-444D-9C97-A0E1BEBC6EBF", "versionEndIncluding": "1.4.0"}, {"criteria": "cpe:2.3:a:google:androidx.car.app:1.7.0:alpha01:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A7FDBEB3-A595-40D1-B619-A3D79D51A0F7"}, {"criteria": "cpe:2.3:a:google:androidx.car.app:1.7.0:alpha02:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2EDC8E23-DCFD-40D4-9E70-EE3622965EA2"}, {"criteria": "cpe:2.3:a:google:androidx.car.app:1.7.0:beta01:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FD618764-0458-4397-9260-E81395D259F9"}], "operator": "OR"}]}], "sourceIdentifier": "cve-coordination@google.com"}