he vulnerability is to delete arbitrary files in LGInstallService ("com.lge.lginstallservies") app. The app contains the exported "com.lge.lginstallservies.InstallService" service that exposes an AIDL interface. All its "installPackage*" methods are finally calling the "installPackageVerify()" method that performs signature validation after the delete file method. An attacker can control conditions so this security check is never performed and an attacker-controlled file is deleted.
References
Link | Resource |
---|---|
https://lgsecurity.lge.com/bulletins/mobile#updateDetails | Vendor Advisory |
https://lgsecurity.lge.com/bulletins/mobile#updateDetails | Vendor Advisory |
Configurations
Configuration 1 (hide)
AND |
|
History
21 Nov 2024, 08:25
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.0 |
References | () https://lgsecurity.lge.com/bulletins/mobile#updateDetails - Vendor Advisory |
02 Oct 2023, 18:20
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-367 | |
First Time |
Google android
Lg v60 Thin Q 5g Lg |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 3.6 |
References | (MISC) https://lgsecurity.lge.com/bulletins/mobile#updateDetails - Vendor Advisory | |
CPE | cpe:2.3:h:lg:v60_thin_q_5g:-:*:*:*:*:*:*:* cpe:2.3:o:google:android:*:*:*:*:*:*:*:* |
27 Sep 2023, 15:19
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-09-27 15:19
Updated : 2024-11-21 08:25
NVD link : CVE-2023-44128
Mitre link : CVE-2023-44128
CVE.ORG link : CVE-2023-44128
JSON object : View
Products Affected
lg
- v60_thin_q_5g
- android
CWE
CWE-367
Time-of-check Time-of-use (TOCTOU) Race Condition