Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-44128

he vulnerability is to delete arbitrary files in LGInstallService ("com.lge.lginstallservies") app. The app contains the exported "com.lge.lginstallservies.InstallService" service that exposes an AIDL interface. All its "installPackage*" methods are finally calling the "installPackageVerify()" method that performs signature validation after the delete file method. An attacker can control conditions so this security check is never performed and an attacker-controlled file is deleted.

Published

2023-09-27T15:19:37.217

Last Modified

2024-11-21T08:25:18.250

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 5.0 (MEDIUM)

Weaknesses

Type: Secondary
CWE-367
Type: Primary
CWE-367

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Operating System	google	android	≤ 13.0	Yes
Hardware	lg	v60_thin_q_5g	-	No

References

https://lgsecurity.lge.com/bulletins/mobile#updateDetails Vendor Advisory ([email protected])
https://lgsecurity.lge.com/bulletins/mobile#updateDetails Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)