CVE-2024-21633

Name of the Vulnerable Software and Affected Versions Apktool versions 2.9.1 and prior

Description The issue is related to incorrect restriction of the directory path name with limited access. An attacker can exploit this to write or overwrite arbitrary data. Apktool infers resource files' output path according to their resource names, which can be manipulated by an attacker to place files at a desired location on the system Apktool runs on. Affected environments are those in which an attacker may write or overwrite any file that the user has write access to, and either the user name is known or the current working directory is under the user folder.

Recommendations For versions 2.9.1 and prior, apply the patch from commit d348c43b24a9de350ff6e5bd610545a10c1fc712 to resolve the issue. As a temporary workaround, consider restricting write access to sensitive files and directories to minimize the risk of exploitation. Avoid using Apktool in environments where an attacker may have write access to critical files or directories until the issue is resolved.