logo

Database

Lack of data validation - Path Traversal In github.com/mvt-project/androidqf

Description

androidqf: Zip entry Name Injection in APK bundle (Zip Slip for zip consumers)

Summary

generateZipPath() constructs zip entry names for collected APKs using device controlled content from extractFileName(). Since extractFileName() does not reject traversal sequences, the resulting zip entry name can contain ../. AndroidQF itself does not extract the zip it creates, but any forensic tool that extracts the acquisition bundle without zip-slip protection could write files to attacker chosen paths.

Impact

A compromised device could inject path traversal sequences into the acquisition bundle's zip entry names. When a forensic analyst or forensic tooling extracts the bundle without entry name validation, files could be written outside the intended extraction directory.

Patched version

1.8.3

Credits

This issue was identified during a security assessment conducted by 0xche.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. GHSA-jf2q-463c-6f522. GCVE-GHSA-jf2q-463c-6f52

References

1. https://github.com/mvt-project/androidqf/security/advisories/GHSA-jf2q-463c-6f522. https://github.com/mvt-project/androidqf/releases/tag/v1.8.3

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.