CVE-2024-21633
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-21633
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-21633.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-21633
- Aliases
-
- GHSA-2hqv-2xv4-5h5w
- Downstream
- Published
- 2024-01-03T16:59:18.566Z
- Modified
- 2025-12-05T03:11:25.199724Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Arbitrary file write on Decoding
- Details
-
Apktool is a tool for reverse engineering Android APK files. In versions 2.9.1 and prior, Apktool infers resource files' output path according to their resource names which can be manipulated by attacker to place files at desired location on the system Apktool runs on. Affected environments are those in which an attacker may write/overwrite any file that user has write access, and either user name is known or cwd is under user folder. Commit d348c43b24a9de350ff6e5bd610545a10c1fc712 contains a patch for this issue.
- Database specific
{ "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-22" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/21xxx/CVE-2024-21633.json" }- References
Affected packages
Git / github.com/ibotpeaches/apktool
Affected ranges
- Type
- GIT
- Repo
- https://github.com/ibotpeaches/apktool
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
v0.*
v0.9.2
v1.*
v1.0.0
v1.1.0
v1.1.1
v1.2.0
v1.3.0
v1.3.1
v1.3.2
v1.4.0
v1.4.1
v1.4.2
v1.4.3
v1.5.1
v1.5.2
v2.*
v2.0.0
v2.0.0-RC2
v2.0.0-RC3
v2.0.0-RC4
v2.0.1
v2.0.2
v2.0.3
v2.1.0
v2.1.1
v2.2.0
v2.2.1
v2.2.2
v2.2.3
v2.2.4
v2.3.0
v2.3.1
v2.3.2
v2.3.3
v2.3.4
v2.4.0
v2.4.1
v2.5.0
v2.6.0
v2.6.1
v2.7.0
v2.8.0
v2.8.1
v2.9.0
v2.9.1
Database specific
vanir_signatures
[
{
"target": {
"file": "brut.j.dir/src/main/java/brut/directory/FileDirectory.java"
},
"signature_version": "v1",
"digest": {
"line_hashes": [
"180344132234033290512785867089419654934",
"130773119975006918579846349985679671177",
"320470365899577863476946486915715389997",
"182211329058166602847101892687230906954"
],
"threshold": 0.9
},
"source": "https://github.com/ibotpeaches/apktool/commit/d348c43b24a9de350ff6e5bd610545a10c1fc712",
"deprecated": false,
"id": "CVE-2024-21633-002eba49",
"signature_type": "Line"
},
{
"target": {
"file": "brut.j.dir/src/main/java/brut/directory/DirUtil.java"
},
"signature_version": "v1",
"digest": {
"line_hashes": [
"249858151289613368853800683827276775268",
"229777700531222151690555526144169675800",
"5716647538880407953593567819625501428",
"117896502084350707173374309954602308374"
],
"threshold": 0.9
},
"source": "https://github.com/ibotpeaches/apktool/commit/d348c43b24a9de350ff6e5bd610545a10c1fc712",
"deprecated": false,
"id": "CVE-2024-21633-0c30872c",
"signature_type": "Line"
},
{
"target": {
"function": "decode",
"file": "brut.apktool/apktool-lib/src/main/java/brut/androlib/res/decoder/ResFileDecoder.java"
},
"signature_version": "v1",
"digest": {
"length": 2308.0,
"function_hash": "95027386502078978239722984392857814412"
},
"source": "https://github.com/ibotpeaches/apktool/commit/d348c43b24a9de350ff6e5bd610545a10c1fc712",
"deprecated": false,
"id": "CVE-2024-21633-34eeb22c",
"signature_type": "Function"
},
{
"target": {
"file": "brut.apktool/apktool-lib/src/test/java/brut/androlib/util/UnknownDirectoryTraversalTest.java"
},
"signature_version": "v1",
"digest": {
"line_hashes": [
"283161872531006152084767023764175310224",
"105510169202813355578565419802396791595",
"230053391891125990300618630182658482048",
"66734798954357317540894511251692789508",
"18834115132416300441916330459980731859",
"209641564051486011624293084282191642802",
"236627035268720705205482348193243797484",
"92201351679835345336207998308370620812",
"232309407376534999238709024170338445772",
"162936366177769798688376705571597024661",
"141226230107937126888289844477471713028",
"133382460166427470781717482804049150452",
"310178765865681488736575897490422793630",
"181661234754863124047411242296419347292",
"29428253273499790494015474569878666518",
"221094563109699199357349016474754051892",
"290600894177232711391002172014352009066",
"43478265975860832825853216576850399789",
"140104375340632308387802369291930625310",
"141472767946423914255826631226019359106",
"279729907399089552796848878973831155080",
"95415059580113813918528151100407161874",
"11854540960317860683571888211615749052",
"282963739120013895980491588561900328015",
"146164663064605942560229035856683688279"
],
"threshold": 0.9
},
"source": "https://github.com/ibotpeaches/apktool/commit/d348c43b24a9de350ff6e5bd610545a10c1fc712",
"deprecated": false,
"id": "CVE-2024-21633-3a7061ee",
"signature_type": "Line"
},
{
"target": {
"function": "decodeResources",
"file": "brut.apktool/apktool-lib/src/main/java/brut/androlib/res/ResourcesDecoder.java"
},
"signature_version": "v1",
"digest": {
"length": 1068.0,
"function_hash": "135309352453870491185557149779871089182"
},
"source": "https://github.com/ibotpeaches/apktool/commit/d348c43b24a9de350ff6e5bd610545a10c1fc712",
"deprecated": false,
"id": "CVE-2024-21633-51fce822",
"signature_type": "Function"
},
{
"target": {
"file": "brut.apktool/apktool-lib/src/main/java/brut/androlib/res/decoder/ResFileDecoder.java"
},
"signature_version": "v1",
"digest": {
"line_hashes": [
"268280756020548486919845158359397408754",
"50627168815369557073419108339774863011",
"100294031798361867641352174151175965802",
"210840831192393554144673078954636195165",
"336335061129990799319731027015780061417",
"40468193609750454478511896804039269656",
"13196088508605798629764223544806870214",
"162981188289974034413010901213006976426",
"42725708681976597378273190515762183079"
],
"threshold": 0.9
},
"source": "https://github.com/ibotpeaches/apktool/commit/d348c43b24a9de350ff6e5bd610545a10c1fc712",
"deprecated": false,
"id": "CVE-2024-21633-6654d4d8",
"signature_type": "Line"
},
{
"target": {
"file": "brut.apktool/apktool-lib/src/main/java/brut/androlib/ApkBuilder.java"
},
"signature_version": "v1",
"digest": {
"line_hashes": [
"48801637094639286651897050097762432764",
"153103621810736786035401827446038774494",
"40160486843768674930407598412800194079",
"23117276763797523322797657723300387455"
],
"threshold": 0.9
},
"source": "https://github.com/ibotpeaches/apktool/commit/d348c43b24a9de350ff6e5bd610545a10c1fc712",
"deprecated": false,
"id": "CVE-2024-21633-be23b279",
"signature_type": "Line"
},
{
"target": {
"file": "brut.apktool/apktool-lib/src/main/java/brut/androlib/res/ResourcesDecoder.java"
},
"signature_version": "v1",
"digest": {
"line_hashes": [
"144896052325294589191206816056247014584",
"24043385085323934255019449882043098793",
"199205228140976643817665229075810343009",
"299734114791397721365662679167869371503",
"46455468150689368066377231146889962872",
"126986158835071155366618791005881934984",
"143980947414871705422181766612461933201",
"58294193776226346676052422702803174243",
"264008004268243083526870433262798020784",
"133704760324473966950624694485384588978",
"182812161734573552648779934594795637235",
"18995380298875166590755069210886797664",
"4083927384742699884757682987696945785",
"109794698433149450618534395879264028318",
"71790337572306094139363405579488118783",
"26319157840658031618749807774385183588",
"314560767306086143723681204192383777667",
"10477408975175176954937103521767184640"
],
"threshold": 0.9
},
"source": "https://github.com/ibotpeaches/apktool/commit/d348c43b24a9de350ff6e5bd610545a10c1fc712",
"deprecated": false,
"id": "CVE-2024-21633-cfe90528",
"signature_type": "Line"
},
{
"target": {
"function": "sanitizeUnknownFile",
"file": "brut.j.util/src/main/java/brut/util/BrutIO.java"
},
"signature_version": "v1",
"digest": {
"length": 560.0,
"function_hash": "305729855051051852695639420830314298728"
},
"source": "https://github.com/ibotpeaches/apktool/commit/d348c43b24a9de350ff6e5bd610545a10c1fc712",
"deprecated": false,
"id": "CVE-2024-21633-e68b6029",
"signature_type": "Function"
},
{
"target": {
"file": "brut.j.util/src/main/java/brut/util/BrutIO.java"
},
"signature_version": "v1",
"digest": {
"line_hashes": [
"161382685874068638333085330850017945809",
"112220944136947889100065187663089317622",
"257503211091043676826994234499964412547",
"191191124471629645783780891425154078866",
"256001733525498165393895692419586586868",
"81620883625584142869233331011461932589",
"75221269197355846871719088033631957960",
"312387689006611689966760589221247851128",
"119548062635376994714548551959461593018"
],
"threshold": 0.9
},
"source": "https://github.com/ibotpeaches/apktool/commit/d348c43b24a9de350ff6e5bd610545a10c1fc712",
"deprecated": false,
"id": "CVE-2024-21633-ef0c8142",
"signature_type": "Line"
},
{
"target": {
"file": "brut.j.dir/src/main/java/brut/directory/ZipUtils.java"
},
"signature_version": "v1",
"digest": {
"line_hashes": [
"263629784483937508657248352604329144353",
"134107458549837405468425862878617777276",
"113195190027331023759881156098291974422",
"231868823277573346983392962909887299617",
"225226734359865603129995432043178300660"
],
"threshold": 0.9
},
"source": "https://github.com/ibotpeaches/apktool/commit/d348c43b24a9de350ff6e5bd610545a10c1fc712",
"deprecated": false,
"id": "CVE-2024-21633-f92a36bf",
"signature_type": "Line"
}
]