CVE-2024-10382

Name of the Vulnerable Software and Affected Versions Car App Android Jetpack Library versions prior to 1.7.0-beta02

Description The issue is related to a code execution vulnerability in the Car App Android Jetpack Library. Specifically, the CarAppService uses deserialization logic that allows the construction of arbitrary Java classes, which can lead to arbitrary code execution when combined with specific Java deserialization gadgets. An attacker needs to install a malicious application on the victim's device to attack any application that uses the vulnerable library.

Recommendations For versions prior to 1.7.0-beta02, upgrade the library past version 1.7.0-beta02 to resolve the issue. As a temporary workaround, consider restricting the use of the CarAppService until a patch is available. Avoid using the vulnerable library in applications until the issue is resolved.