CVE-2024-21633
Published: 03 January 2024
Summary
CVE-2024-21633 is a high-severity Path Traversal (CWE-22) vulnerability in Apktool Apktool. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 1.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Apktool is a command-line tool used for reverse engineering Android APK files. CVE-2024-21633 is a path traversal vulnerability (CWE-22) present in versions 2.9.1 and earlier. The tool determines output paths for resource files solely from names embedded in the APK, allowing an attacker-controlled name to influence filesystem writes performed during decoding or rebuilding operations.
An attacker can supply a malicious APK that, when processed by Apktool under a user account, causes arbitrary files to be written or overwritten in locations where that user has write access. Successful exploitation requires either knowledge of the target username or execution from a working directory beneath the user’s home folder, and can result in modification of configuration, binaries, or other sensitive files on the host system. The CVSS 7.8 score reflects local attack vector, low complexity, and high impact on confidentiality, integrity, and availability.
The project’s security advisory GHSA-2hqv-2xv4-5h5w and the referenced commit d348c43b24a9de350ff6e5bd610545a10c1fc712 document the fix and recommend that users update to a patched release. The EPSS score rose from lower values to a peak of 0.8052 before receding to the current 0.6819, indicating increased exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-19273
Vulnerability details
Apktool is a tool for reverse engineering Android APK files. In versions 2.9.1 and prior, Apktool infers resource files' output path according to their resource names which can be manipulated by attacker to place files at desired location on the…
more
system Apktool runs on. Affected environments are those in which an attacker may write/overwrite any file that user has write access, and either user name is known or cwd is under user folder. Commit d348c43b24a9de350ff6e5bd610545a10c1fc712 contains a patch for this issue.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.