Impact
Due to some data types not being natively representable for the available storage options, shared_preferences_android serializes and deserializes special string prefixes to store these unrepresentable data types. This allows arbitrary classes to be deserialized leading to arbitrary code execution.
As a result, Files containing the preferences can be overwritten with a malicious one with a deserialization payload that triggers as soon as the data is loaded from the disk.
Patches
2.3.4
Workarounds
Update to the latest version of shared_preferences_android that contains the changes to address this vulnerability.
References
TBD
For more information
See our community page to find ways to contact the team.
Thanks
Thank you so much to Oskar Zeino-Mahmalat from sonarsource for finding and reporting this issue!
Impact
Due to some data types not being natively representable for the available storage options, shared_preferences_android serializes and deserializes special string prefixes to store these unrepresentable data types. This allows arbitrary classes to be deserialized leading to arbitrary code execution.
As a result, Files containing the preferences can be overwritten with a malicious one with a deserialization payload that triggers as soon as the data is loaded from the disk.
Patches
2.3.4
Workarounds
Update to the latest version of shared_preferences_android that contains the changes to address this vulnerability.
References
TBD
For more information
See our community page to find ways to contact the team.
Thanks
Thank you so much to Oskar Zeino-Mahmalat from sonarsource for finding and reporting this issue!