9.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-21386

GHSA ID

GHSA-8434-v7xw-8m9x

EPSS Score

0.76573%

CWE

CWE-78

Published

1/21/2022

Updated

9/7/2023

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-21386

CVE-2021-21386: Improper Neutralization of Argument Delimiters in a Decompiling Package Process in APKLeaks

APKLeaks prior to v2.0.4 allows remote authenticated attackers to execute arbitrary OS commands via package name inside the application manifest.

Impact

An authenticated attacker could include arguments that allow unintended commands or code to be executed, allow sensitive data to be read or modified, or could cause other unintended behavior through malicious package names.

References

a966e781499ff6fd4eea66876d7532301b13a382

For more information

If you have any questions or comments about this advisory:

Email me at me@dw1.io

(GitHub Advisory)

9.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-21386

GHSA ID

GHSA-8434-v7xw-8m9x

EPSS Score

0.76573%

CWE

CWE-78

Published

1/21/2022

Updated

9/7/2023

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
APKLeaks	pip	< 2.0.4	2.0.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the pre-patch command construction pattern '%s %s -d %s --deobf' which directly interpolated user-controlled values (dex path and tempdir) into an OS command. This allowed injection of command arguments through malicious package names. The commit explicitly fixes this by: 1) Using an array for arguments 2) Applying proper shell escaping with pipes.quote() 3) Safely joining arguments. The vulnerable code path is clearly in the decompile() method where the unsafe os.system() call originated.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*PKL**ks prior to v*.*.* *llows r*mot* *ut**nti**t** *tt**k*rs to *x**ut* *r*itr*ry OS *omm*n*s vi* p**k*** n*m* insi** t** *ppli**tion m*ni**st. ### Imp**t *n *ut**nti**t** *tt**k*r *oul* in*lu** *r*um*nts t**t *llow unint*n*** *omm*n*s or *o** to

Reasoning

T** vuln*r**ility st*ms *rom t** pr*-p*t** *omm*n* *onstru*tion p*tt*rn '%s %s -* %s --**o**' w*i** *ir**tly int*rpol*t** us*r-*ontroll** v*lu*s (**x p*t* *n* t*mp*ir) into *n OS *omm*n*. T*is *llow** inj**tion o* *omm*n* *r*um*nts t*rou** m*li*ious

9.3

Basic Information

Concerned about an active attack path?

CVE-2021-21386: Improper Neutralization of Argument Delimiters in a Decompiling Package Process in APKLeaks

Impact

References

For more information

9.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI