Description
A local, arbitrary code execution vulnerability exists in the SplitCompat.install endpoint in Android's Play Core Library versions prior to 1.7.2. A malicious attacker could create an apk which targets a specific application, and if a victim were to install this apk, the attacker could perform a directory traversal, execute code as the targeted application and access the targeted application's data on the Android device. We recommend all users update Play Core to version 1.7.2 or later.
Remediation
References
https://blog.oversecured.com/Oversecured-automatically-discovers-persistent-code-execution-in-the-Google-Play-Core-Library/
https://developer.android.com/reference/com/google/android/play/core/release-notes#1-7-2
Related Vulnerabilities
CVE-2023-33546 Vulnerability in maven package org.codehaus.janino:janino-parent
CVE-2022-41654 Vulnerability in npm package ghost
CVE-2022-39353 Vulnerability in maven package org.webjars.npm:xmldom
CVE-2020-28458 Vulnerability in maven package org.webjars.npm:datatables.net
CVE-2018-19048 Vulnerability in maven package org.webjars.bower:simditor