CVE-2023-44128

he vulnerability is to delete arbitrary files in LGInstallService ("com.lge.lginstallservies") app. The app contains the exported "com.lge.lginstallservies.InstallService" service that exposes an AIDL interface. All its "installPackage*" methods are finally calling the "installPackageVerify()" method that performs signature validation after the delete file method. An attacker can control conditions so this security check is never performed and an attacker-controlled file is deleted.
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:google:android:*:*:*:*:*:*:*:*
cpe:2.3:h:lg:v60_thin_q_5g:-:*:*:*:*:*:*:*

History

21 Nov 2024, 08:25

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 3.6
v2 : unknown
v3 : 5.0
References () https://lgsecurity.lge.com/bulletins/mobile#updateDetails - Vendor Advisory () https://lgsecurity.lge.com/bulletins/mobile#updateDetails - Vendor Advisory

02 Oct 2023, 18:20

Type Values Removed Values Added
CWE CWE-367
First Time Google android
Lg v60 Thin Q 5g
Google
Lg
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 3.6
References (MISC) https://lgsecurity.lge.com/bulletins/mobile#updateDetails - (MISC) https://lgsecurity.lge.com/bulletins/mobile#updateDetails - Vendor Advisory
CPE cpe:2.3:h:lg:v60_thin_q_5g:-:*:*:*:*:*:*:*
cpe:2.3:o:google:android:*:*:*:*:*:*:*:*

27 Sep 2023, 15:19

Type Values Removed Values Added
New CVE

Information

Published : 2023-09-27 15:19

Updated : 2024-11-21 08:25


NVD link : CVE-2023-44128

Mitre link : CVE-2023-44128

CVE.ORG link : CVE-2023-44128


JSON object : View

Products Affected

lg

  • v60_thin_q_5g

google

  • android
CWE
CWE-367

Time-of-check Time-of-use (TOCTOU) Race Condition