CVE-2021-21386
CRITICALAPKLeaks < 2.0.3 - OS Command Injection via Package Name in Application Manifest
Title source: llmDescription
APKLeaks is an open-source project for scanning APK file for URIs, endpoints & secrets. APKLeaks prior to v2.0.3 allows remote attackers to execute arbitrary OS commands via package name inside application manifest. An attacker could include arguments that allow unintended commands or code to be executed, allow sensitive data to be read or modified or could cause other unintended behavior through malicious package name. The problem is fixed in version v2.0.6-dev and above.
References (2)
Core 2
Core References
Patch, Third Party Advisory x_refsource_confirm
https://github.com/dwisiswant0/apkleaks/security/advisories/GHSA-8434-v7xw-8m9x
Patch, Third Party Advisory x_refsource_misc
https://github.com/dwisiswant0/apkleaks/commit/a966e781499ff6fd4eea66876d7532301b13a382
Scores
CVSS v3
9.3
EPSS
0.0231
EPSS Percentile
81.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Details
CWE
CWE-78
CWE-88
Status
published
Products (2)
apkleaks_project/apkleaks
< 2.0.3
pypi/APKLeaks
0 - 2.0.4PyPI
Published
Mar 24, 2021
Tracked Since
Feb 18, 2026