Lucene search

FacebookCVE-2022-36938

HistoryNov 11, 2022 - 12:15 a.m.

CVE-2022-36938

2022-11-1100:15:10

CWE-1284

CWE-125

facebook

web.nvd.nist.gov

cve-2022-36938

redex

remote code execution

android

apk

security vulnerability

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.5

Confidence

High

EPSS

0.004

Percentile

72.6%

JSON

DexLoader function get_stringidx_fromdex() in Redex prior to commit 3b44c64 can load an out of bound address when loading the string index table, potentially allowing remote code execution during processing of a 3rd party Android APK file.

Affected configurations

Nvd

Node

facebookredexRange<2022-11-04

VendorProductVersionCPE
facebookredex*cpe:2.3:a:facebook:redex:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
facebook	redex	*	cpe:2.3:a:facebook:redex::::::::

CNA Affected

[
  {
    "vendor": "Facebook",
    "product": "Redex",
    "versions": [
      {
        "version": "unspecified",
        "lessThan": "3b44c64",
        "status": "affected",
        "versionType": "custom"
      }
    ]
  }
]

References

github.com/facebook/redex/commit/3b44c640346b77bfb7ef36e2413688dd460288d2

Social References

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.5

Confidence

High

EPSS

0.004

Percentile

72.6%

JSON

Related for CVE-2022-36938