CVE-2024-21633

HIGH NUCLEI

Apktool < 2.9.2 - Path Traversal

Title source: rule

Description

Apktool is a tool for reverse engineering Android APK files. In versions 2.9.1 and prior, Apktool infers resource files' output path according to their resource names which can be manipulated by attacker to place files at desired location on the system Apktool runs on. Affected environments are those in which an attacker may write/overwrite any file that user has write access, and either user name is known or cwd is under user folder. Commit d348c43b24a9de350ff6e5bd610545a10c1fc712 contains a patch for this issue.

Exploits (1)

nomisec WRITEUP 80 stars

by 0x33c0unt · poc

https://github.com/0x33c0unt/CVE-2024-21633

View Code ZIP pw:eip

Nuclei Templates (1)

MobSF - Path Traversal

HIGHVERIFIEDby Will Mccardell

FOFA: title="MobSF"

References (2)

[Patch] https://github.com/iBotPeaches/Apktool/commit/d348c43b24a9de350ff6e5bd610545a10c1fc712

[Exploit, Patch, Vendor Advisory] https://github.com/iBotPeaches/Apktool/security/advisories/GHSA-2hqv-2xv4-5h5w

Scores

CVSS v3 7.8

EPSS 0.8052

EPSS Percentile 99.1%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE

CWE-22

Status published

Products (1)

apktool/apktool < 2.9.2

Published Jan 03, 2024

Tracked Since Feb 18, 2026