PT-2021-12028 · Shenzhim · Aaptjs

Mohanl0L

Published

2021-10-31

Updated

2022-05-03

CVE-2020-36378

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: shenzhim aaptjs version 1.3.1

Description: An issue was discovered in the packageCmd function, allowing attackers to execute arbitrary code via the filePath parameters. This issue affects the shenzhim aaptjs package, which is a node wrapper for aapt.

Recommendations: For shenzhim aaptjs version 1.3.1, consider disabling the packageCmd function until a patch is available to prevent exploitation via the filePath parameters. Restrict access to the filePath parameters in the affected function to minimize the risk of arbitrary code execution. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Command Injection

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-77CWE-78

Related Identifiers

CVE-2020-36378

GHSA-4QWQ-Q4PR-RR7R

Affected Products

Aaptjs

PT-2021-12028 · Shenzhim · Aaptjs

CVE-2020-36378

Weakness Enumeration

Related Identifiers

Affected Products

References · 7