CVE-2024-32653

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2024-32653

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-32653.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-32653

Aliases

GHSA-3pp3-hg2q-9gpm

Published

2024-04-22T22:13:47.917Z

Modified

2026-04-12T09:49:34.267400Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:H CVSS Calculator

Summary

Insufficient input filtering of "package name" allows command execution in the device with shell privileges

Details

jadx is a Dex to Java decompiler. Prior to version 1.5.0, the package name is not filtered before concatenation. This can be exploited to inject arbitrary code into the package name. The vulnerability allows an attacker to execute commands with shell privileges. Version 1.5.0 contains a patch for the vulnerability.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-20"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/32xxx/CVE-2024-32653.json"
}

References

Affected packages

Git / github.com/skylot/jadx

Affected ranges

Type: GIT
Repo: https://github.com/skylot/jadx
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

f2ea6415c9228523eab1be4b1359eef43ba64372

Type: GIT
Repo: https://github.com/skylot/jadx
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

f2ea6415c9228523eab1be4b1359eef43ba64372

Affected versions

v0.*

v0.4

v0.4.1

v0.5.0

v0.5.0-beta1

v0.5.1

v0.5.2

v0.5.4

v0.6.0

v0.6.1

v0.7.1

v0.8.0

v0.9.0

v1.*

v1.0.0

v1.1.0

v1.2.0

v1.3.0

v1.3.1

v1.3.2

v1.3.3

v1.3.4

v1.3.5

v1.4.0

v1.4.1

v1.4.2

v1.4.3

v1.4.4

v1.4.5

v1.4.6

v1.4.7

Database specific

vanir_signatures

[
    {
        "id": "CVE-2024-32653-3a47a040",
        "signature_version": "v1",
        "source": "https://github.com/skylot/jadx/commit/f2ea6415c9228523eab1be4b1359eef43ba64372",
        "signature_type": "Function",
        "target": {
            "file": "jadx-cli/src/main/java/jadx/cli/JadxCLIArgs.java",
            "function": "convert"
        },
        "digest": {
            "function_hash": "103332005780533498053202047657284946383",
            "length": 576.0
        },
        "deprecated": false
    },
    {
        "id": "CVE-2024-32653-3b578363",
        "signature_version": "v1",
        "source": "https://github.com/skylot/jadx/commit/f2ea6415c9228523eab1be4b1359eef43ba64372",
        "signature_type": "Line",
        "target": {
            "file": "jadx-cli/src/test/java/jadx/cli/RenameConverterTest.java"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "250637368918785046625410560880765188779",
                "7252600086920650372968659098519645565",
                "144793756495931796042885902937111395498",
                "261144168825223628569520614120628478196",
                "83761355464769585620012853448469428495",
                "120723116044373101633259002554038197782",
                "39464023663414599673678320343297654558",
                "98871669464052845022328525115937547035"
            ]
        },
        "deprecated": false
    },
    {
        "id": "CVE-2024-32653-73daa004",
        "signature_version": "v1",
        "source": "https://github.com/skylot/jadx/commit/f2ea6415c9228523eab1be4b1359eef43ba64372",
        "signature_type": "Line",
        "target": {
            "file": "jadx-cli/src/main/java/jadx/cli/JadxCLICommands.java"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "20537953357456439250910846448683778345",
                "7096123205660409183417849417568860720",
                "96954985714700598378976566482877115575",
                "39854674653382625947615415329816658001",
                "290559545559816069669234325474746285563",
                "277190575908414465107584428140244358007",
                "46464984257681181023020213419035113746",
                "287567383877182882503980440280953610132"
            ]
        },
        "deprecated": false
    },
    {
        "id": "CVE-2024-32653-74da3958",
        "signature_version": "v1",
        "source": "https://github.com/skylot/jadx/commit/f2ea6415c9228523eab1be4b1359eef43ba64372",
        "signature_type": "Line",
        "target": {
            "file": "jadx-core/src/main/java/jadx/api/JadxArgsValidator.java"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "190966953002946820870420510531712031543",
                "271447210304827912765075474722486803770",
                "259099364127355780637621982524423470199",
                "302801398567201482209115576787348298486",
                "2963432239078499187101947698940894873",
                "281621488402717623883069330312814761454",
                "275454440091137056533497274518767199913",
                "204988106270154516999805707512883178097",
                "175592763254026098853518323110504800497"
            ]
        },
        "deprecated": false
    },
    {
        "id": "CVE-2024-32653-7648627c",
        "signature_version": "v1",
        "source": "https://github.com/skylot/jadx/commit/f2ea6415c9228523eab1be4b1359eef43ba64372",
        "signature_type": "Line",
        "target": {
            "file": "jadx-cli/src/main/java/jadx/cli/SingleClassMode.java"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "137204616384404342027926792353629800377",
                "3241326883155677807951827821037059810",
                "188298616503292654115192433071675389800",
                "191282993507288051734599875402933779164",
                "150015992258766932401596824491651738884",
                "237798945000181770647326591347326535398",
                "222848250393397233818593450026311684550",
                "332900388282048279410310657818520640835",
                "210581767547967470289898255654576521784",
                "239926726042084735588900126198339024792",
                "75759002193508882975936402069413130017",
                "194195066808167767012309963505099825311",
                "44047918895801167108319068940090348663",
                "138536888287417038914966841503882253475",
                "7131003659886175077169702421365818560"
            ]
        },
        "deprecated": false
    },
    {
        "id": "CVE-2024-32653-89bebf8d",
        "signature_version": "v1",
        "source": "https://github.com/skylot/jadx/commit/f2ea6415c9228523eab1be4b1359eef43ba64372",
        "signature_type": "Line",
        "target": {
            "file": "jadx-cli/src/main/java/jadx/cli/JadxCLIArgs.java"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "202110388986604940098377668846947655428",
                "173846499568810642491947689134923832377",
                "205847779880972046005754017607891505521",
                "197896076323384601140362263896571775314",
                "153563064628603188722224799519559922928",
                "87211665690073308573144778482696170900",
                "281670684895734357339333826022753421197",
                "313420770862680557202955623703232963668",
                "27506009619698880069222287785187799681",
                "104431123535916616271900162889196289233",
                "256079628039966957860243629213613763415",
                "340232425616005986830086855212366535252",
                "254133839521555363248645796933455969022",
                "320067241860448592161369803268465550686",
                "105135349804760838859480469610730392589",
                "262082582965922386148322060664549681255",
                "186859121843077960596243229601395366476",
                "237955636984308362775916901870579087182",
                "65053460758726453995904699826287897576",
                "251644764731833924781670464890815721758",
                "313973414378460246405946024471849306743",
                "113885136727021211919852471355583849089",
                "219991581445494029373715002850857496159",
                "104974998570651180131120574819054181254"
            ]
        },
        "deprecated": false
    },
    {
        "id": "CVE-2024-32653-af0cc8e4",
        "signature_version": "v1",
        "source": "https://github.com/skylot/jadx/commit/f2ea6415c9228523eab1be4b1359eef43ba64372",
        "signature_type": "Function",
        "target": {
            "file": "jadx-core/src/main/java/jadx/api/JadxArgsValidator.java",
            "function": "checkInputFiles"
        },
        "digest": {
            "function_hash": "201810337535445650311785320384603942366",
            "length": 414.0
        },
        "deprecated": false
    },
    {
        "id": "CVE-2024-32653-e428e235",
        "signature_version": "v1",
        "source": "https://github.com/skylot/jadx/commit/f2ea6415c9228523eab1be4b1359eef43ba64372",
        "signature_type": "Function",
        "target": {
            "file": "jadx-cli/src/main/java/jadx/cli/JadxCLICommands.java",
            "function": "process"
        },
        "digest": {
            "function_hash": "16049464319790080133363630192845134617",
            "length": 289.0
        },
        "deprecated": false
    },
    {
        "id": "CVE-2024-32653-e8f489a3",
        "signature_version": "v1",
        "source": "https://github.com/skylot/jadx/commit/f2ea6415c9228523eab1be4b1359eef43ba64372",
        "signature_type": "Function",
        "target": {
            "file": "jadx-cli/src/main/java/jadx/cli/JadxCLIArgs.java",
            "function": "process"
        },
        "digest": {
            "function_hash": "329689926234255463177404867691350707286",
            "length": 536.0
        },
        "deprecated": false
    }
]

vanir_signatures_modified

"2026-04-12T09:49:34Z"

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-32653.json"