<--

esri ArcGis Android SDK Deserialization Code Execution

Aleph Research Advisory

Identifier

Severity

High

Product

esri ArcGis

Vulnerable Version

Before version 10.2.6-2

Mitigation

Use version 10.2.6-2 or later.

Technical Details

The esri ArcGis SDK for Android contains a Serializable class, with a ‘finalize’ method that later calls a native function with an attacker-controllabe pointer, eventually allowing for code execution by malicious apps.

Timeline

Credit

External References