CVE-2021-21386

Description

APKLeaks prior to v2.0.4 allows remote authenticated attackers to execute arbitrary OS commands via package name inside the application manifest. ### Impact An authenticated attacker could include arguments that allow unintended commands or code to be executed, allow sensitive data to be read or modified, or could cause other unintended behavior through malicious package names. ### References - a966e781499ff6fd4eea66876d7532301b13a382 ### For more information If you have any questions or comments about this advisory: * Email me at [[email protected]](mailto:[email protected])

How to fix CVE-2021-21386

To remediate CVE-2021-21386, upgrade the affected package to a fixed version below.

• —upgrade to 2.0.4 or later

Is CVE-2021-21386 being exploited?

Low — EPSS is 1.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 2.0.4

CVSS scores

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-21386
• PATCHgithub.com/dwisiswant0/apkleaks
• WEBgithub.com/dwisiswant0/apkleaks/commit/a966e781499ff6fd4eea66876d7532301b13a382
• WEBgithub.com/dwisiswant0/apkleaks/security/advisories/GHSA-8434-v7xw-8m9x