CVE-2022-36938
Severity Score
9.8
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
DexLoader function get_stringidx_fromdex() in Redex prior to commit 3b44c64 can load an out of bound address when loading the string index table, potentially allowing remote code execution during processing of a 3rd party Android APK file.
La función DexLoader get_stringidx_fromdex() en Redex antes del commit 3b44c64 puede cargar una dirección fuera de límite al cargar la tabla de índice de cadenas, lo que potencialmente permite la ejecución remota de código durante el procesamiento de un archivo APK de Android de terceros.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2022-07-27 CVE Reserved
- 2022-11-10 CVE Published
- 2024-06-17 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-125: Out-of-bounds Read
- CWE-1284: Improper Validation of Specified Quantity in Input
CAPEC
References (1)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/facebook/redex/commit/3b44c640346b77bfb7ef36e2413688dd460288d2 | 2023-11-07 |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Facebook Search vendor "Facebook" | Redex Search vendor "Facebook" for product "Redex" | < 2022-11-04 Search vendor "Facebook" for product "Redex" and version " < 2022-11-04" | - |
Affected
| ||||||