Vulnerability Details : CVE-2011-1001
dexdump in Android SDK before 2.3 does not properly perform structural verification, which allows user-assisted remote attackers to cause a denial of service (dexdump crash) and possibly execute arbitrary code via a malformed APK or dex file that calls a method using more arguments than the number of register that have been declared for that method.
Vulnerability category: Input validationExecute codeDenial of service
Products affected by CVE-2011-1001
- cpe:2.3:a:google:android_sdk:*:*:*:*:*:*:*:*
- cpe:2.3:a:google:android_sdk:1.5:*:*:*:*:*:*:*
- cpe:2.3:a:google:android_sdk:1.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:android_sdk:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:android_sdk:1.6:*:*:*:*:*:*:*
- cpe:2.3:a:google:android_sdk:2.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:android_sdk:2.0.1:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2011-1001
0.28%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 65 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2011-1001
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:N/A:P |
8.6
|
2.9
|
NIST |
CWE ids for CVE-2011-1001
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2011-1001
-
http://seclists.org/fulldisclosure/2011/Mar/329
Full Disclosure: Android SDK: Segmentation fault with dexdump / dexDecodeDebugInfo
-
http://android.git.kernel.org/?p=platform/dalvik.git;a=commit;h=4b0750e8df91220690bb417f45d7ae8b7851b220
Patch
Jump to