Vulnerability CVE-2014-7911
Published: 2014-12-15

Description:
luni/src/main/java/java/io/ObjectInputStream.java in the java.io.ObjectInputStream implementation in Android before 5.0.0 does not verify that deserialization will result in an object that met the requirements for serialization, which allows attackers to execute arbitrary code via a crafted finalize method for a serialized object in an ArrayMap Parcel within an intent sent to system_service, as demonstrated by the finalize method of android.os.BinderProxy, aka Bug 15874291.

See advisories in our WLB2 database:
Topic
Author
Date
Med.
Google Android Integer Oveflow / Heap Corruption
Guang Gong
12.03.2015

Type:

CWE-264

 (Permissions, Privileges, and Access Controls)

CVSS2 => (AV:L/AC:L/Au:N/C:C/I:C/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.2/10
10/10
3.9/10
Exploit range
Attack complexity
Authentication
Local
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete
Affected software
Google -> Android 

 References:
https://android.googlesource.com/platform/libcore/+/738c833d38d41f8f76eb7e77ab39add82b1ae1e2
http://seclists.org/fulldisclosure/2014/Nov/51
Copyright 2024, cxsecurity.com

 

Back to Top