<--

Jumio Android SDK Deserialization Code Execution

Aleph Research Advisory

Identifier

Severity

High

Product

Jumio SDK

Vulnerable Version

Before 1.5.0

Mitigation

Use version 1.5.0 or later.

Technical Details

The Jumio SDK for Android contains a Serializable class, with a ‘finalize’ method that later calls a native function with an attacker-controllabe pointer, eventually allowing for code execution by malicious apps.

Timeline

Credit

External References