GHSA-3hpf-ff72-j67p
Suggest an improvement- Source
- https://github.com/advisories/GHSA-3hpf-ff72-j67p
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-3hpf-ff72-j67p/GHSA-3hpf-ff72-j67p.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-3hpf-ff72-j67p
- Published
- 2024-12-06T21:24:30Z
- Modified
- 2024-12-06T21:24:30Z
- Severity
-
- 3.0 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:L CVSS Calculator
- Summary
- shared_preferences_android vulnerability
- Details
-
Impact
Due to some data types not being natively representable for the available storage options, sharedpreferencesandroid serializes and deserializes special string prefixes to store these unrepresentable data types. This allows arbitrary classes to be deserialized leading to arbitrary code execution.
As a result, Files containing the preferences can be overwritten with a malicious one with a deserialization payload that triggers as soon as the data is loaded from the disk.
Patches
2.3.4
Workarounds
Update to the latest version of sharedpreferencesandroid that contains the changes to address this vulnerability.
References
TBD
For more information
See our community page to find ways to contact the team.
Thanks
Thank you so much to Oskar Zeino-Mahmalat from sonarsource for finding and reporting this issue!
- Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-502" ], "severity": "LOW", "github_reviewed": true, "github_reviewed_at": "2024-12-06T21:24:30Z" }- References
Affected packages
Pub / shared_preferences_android
Package
- Name
- shared_preferences_android
- Purl
- pkg:pub/shared_preferences_android