CVE-2024-10382

HIGH

Google Androidx.car.app < 1.4.0 - Insecure Deserialization

Title source: rule

Description

There exists a code execution vulnerability in the Car App Android Jetpack Library. CarAppService uses deserialization logic that allows construction of arbitrary java classes. This can lead to arbitrary code execution when combined with specific Java deserialization gadgets. An attacker needs to install a malicious application on victims device to be able to attack any application that uses vulnerable library. We recommend upgrading the library past version 1.7.0-beta02.

References (1)

[Release Notes] https://developer.android.com/jetpack/androidx/releases/car-app#1.7.0-beta03

Scores

CVSS v3 7.5

EPSS 0.0005

EPSS Percentile 15.8%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

Classification

CWE

CWE-502 CWE-94

Status published

Affected Products (4)

google/androidx.car.app < 1.4.0

google/androidx.car.app

Timeline

Published Nov 20, 2024

Tracked Since Feb 18, 2026