{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-43399", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-08-12T18:02:04.965Z", "datePublished": "2024-08-19T14:44:47.180Z", "dateUpdated": "2024-08-19T15:27:04.688Z"}, "containers": {"cna": {"title": "Mobile Security Framework (MobSF) has a Zip Slip Vulnerability in .a Static Library Files", "problemTypes": [{"descriptions": [{"cweId": "CWE-23", "lang": "en", "description": "CWE-23: Relative Path Traversal", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-4hh3-vj32-gr6j", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-4hh3-vj32-gr6j"}, {"name": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/cc625fe8430f3437a473e82aa2966d100a4dc883", "tags": ["x_refsource_MISC"], "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/cc625fe8430f3437a473e82aa2966d100a4dc883"}], "affected": [{"vendor": "MobSF", "product": "Mobile-Security-Framework-MobSF", "versions": [{"version": "< 4.0.7", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-08-19T14:44:47.180Z"}, "descriptions": [{"lang": "en", "value": "Mobile Security Framework (MobSF) is a pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. Before 4.0.7, there is a flaw in the Static Libraries analysis section. Specifically, during the extraction of .a extension files, the measure intended to prevent Zip Slip attacks is improperly implemented. Since the implemented measure can be bypassed, the vulnerability allows an attacker to extract files to any desired location within the server running MobSF. This vulnerability is fixed in 4.0.7."}], "source": {"advisory": "GHSA-4hh3-vj32-gr6j", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "mobsf", "product": "mobile_security_framework", "cpes": ["cpe:2.3:a:mobsf:mobile_security_framework:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "4.0.7", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-19T15:23:58.694432Z", "id": "CVE-2024-43399", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-19T15:27:04.688Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-43399", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-08-19T15:23:58.694432Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:mobsf:mobile_security_framework:*:*:*:*:*:*:*:*"], "vendor": "mobsf", "product": "mobile_security_framework", "versions": [{"status": "affected", "version": "0", "lessThan": "4.0.7", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-19T15:26:34.509Z"}}], "cna": {"title": "Mobile Security Framework (MobSF) has a Zip Slip Vulnerability in .a Static Library Files", "source": {"advisory": "GHSA-4hh3-vj32-gr6j", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "MobSF", "product": "Mobile-Security-Framework-MobSF", "versions": [{"status": "affected", "version": "< 4.0.7"}]}], "references": [{"url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-4hh3-vj32-gr6j", "name": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-4hh3-vj32-gr6j", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/cc625fe8430f3437a473e82aa2966d100a4dc883", "name": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/cc625fe8430f3437a473e82aa2966d100a4dc883", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Mobile Security Framework (MobSF) is a pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. Before 4.0.7, there is a flaw in the Static Libraries analysis section. Specifically, during the extraction of .a extension files, the measure intended to prevent Zip Slip attacks is improperly implemented. Since the implemented measure can be bypassed, the vulnerability allows an attacker to extract files to any desired location within the server running MobSF. This vulnerability is fixed in 4.0.7."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-23", "description": "CWE-23: Relative Path Traversal"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-08-19T14:44:47.180Z"}}}, "cveMetadata": {"cveId": "CVE-2024-43399", "state": "PUBLISHED", "dateUpdated": "2024-08-19T15:27:04.688Z", "dateReserved": "2024-08-12T18:02:04.965Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-08-19T14:44:47.180Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:opensecurity:mobile_security_framework:*:*:*:*:*:*:*:*", "matchCriteriaId": "4529C637-FF24-4DD7-8CBA-6FBF37E4F75B", "versionEndExcluding": "4.0.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Mobile Security Framework (MobSF) is a pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. Before 4.0.7, there is a flaw in the Static Libraries analysis section. Specifically, during the extraction of .a extension files, the measure intended to prevent Zip Slip attacks is improperly implemented. Since the implemented measure can be bypassed, the vulnerability allows an attacker to extract files to any desired location within the server running MobSF. This vulnerability is fixed in 4.0.7."}, {"lang": "es", "value": "Mobile Security Framework (MobSF) es un framework de prueba de penetraci\u00f3n, an\u00e1lisis de malware y evaluaci\u00f3n de seguridad capaz de realizar an\u00e1lisis est\u00e1ticos y din\u00e1micos. Antes de 4.0.7, hab\u00eda una falla en la secci\u00f3n de an\u00e1lisis de librer\u00edas est\u00e1ticas. En concreto, durante la extracci\u00f3n de archivos de extensi\u00f3n .a, la medida destinada a prevenir ataques Zip Slip se implementa incorrectamente. Dado que la medida implementada se puede eludir, la vulnerabilidad permite a un atacante extraer archivos a cualquier ubicaci\u00f3n deseada dentro del servidor que ejecuta MobSF. Esta vulnerabilidad se solucion\u00f3 en 4.0.7."}], "id": "CVE-2024-43399", "lastModified": "2024-08-20T16:21:22.747", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-08-19T15:15:09.073", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/cc625fe8430f3437a473e82aa2966d100a4dc883"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-4hh3-vj32-gr6j"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-23"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}