Vulnerabilities > CVE-2022-36938 - Improper Validation of Specified Quantity in Input vulnerability in Facebook Redex

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

facebook

CWE-1284

critical

NVD

Published: 2022-11-11

Updated: 2023-11-07

Summary

DexLoader function get_stringidx_fromdex() in Redex prior to commit 3b44c64 can load an out of bound address when loading the string index table, potentially allowing remote code execution during processing of a 3rd party Android APK file.

Vulnerable Configurations

Part	Description	Count
Application	Facebook Facebook Redex -	1

Common Weakness Enumeration (CWE)

CWE-1284 - Improper Validation of Specified Quantity in Input

References

https://github.com/facebook/redex/commit/3b44c640346b77bfb7ef36e2413688dd460288d2