CVE-2021-21386 CRITICAL

CVE-2021-21386: Improper Neutralization of Argument Delimiters in a Decompiling Package Process

Vendor Dwisiswant0
Product apkleaks
Weakness CWE-88
Published March 24, 2021
Last update August 3, 2024

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

What the vulnerability does

01Description

APKLeaks is an open-source project for scanning APK file for URIs, endpoints & secrets. APKLeaks prior to v2.0.3 allows remote attackers to execute arbitrary OS commands via package name inside application manifest. An attacker could include arguments that allow unintended commands or code to be executed, allow sensitive data to be read or modified or could cause other unintended behavior through malicious package name. The problem is fixed in version v2.0.6-dev and above.

Key dates

02Disclosure timeline

March 24, 2021 CVE published
August 3, 2024 Record updated