3

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-3hpf-ff72-j67p

EPSS Score

CWE

CWE-502

Published

12/6/2024

Updated

12/9/2024

KEV Status

Technology

Dart

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-3hpf-ff72-j67p

GHSA-3hpf-ff72-j67p: shared_preferences_android vulnerability

Impact

Due to some data types not being natively representable for the available storage options, shared_preferences_android serializes and deserializes special string prefixes to store these unrepresentable data types. This allows arbitrary classes to be deserialized leading to arbitrary code execution.

As a result, Files containing the preferences can be overwritten with a malicious one with a deserialization payload that triggers as soon as the data is loaded from the disk.

Patches

2.3.4

Workarounds

Update to the latest version of shared_preferences_android that contains the changes to address this vulnerability.

References

TBD

For more information

See our community page to find ways to contact the team.

Thanks

Thank you so much to Oskar Zeino-Mahmalat from sonarsource for finding and reporting this issue!

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-3hpf-ff72-j67p

GHSA-3hpf-ff72-j67p:

3

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-3hpf-ff72-j67p

EPSS Score

CWE

CWE-502

Published

12/6/2024

Updated

12/9/2024

KEV Status

Technology

Dart

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
shared_preferences_android	pub	= 2.3.3	2.3.4

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from unsafe deserialization using ObjectInputStream in decode methods. Both Java and Kotlin implementations directly deserialized data without restricting allowed classes, enabling arbitrary object instantiation. The patch introduces StringListObjectInputStream with an allowlist to restrict deserialization, confirming these decode functions were the vulnerable points.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

3

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-3hpf-ff72-j67p: shared_preferences_android vulnerability

Impact

Patches

Workarounds

References

For more information

Thanks

GHSA-3hpf-ff72-j67p:

3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

GHSA-3hpf-ff72-j67p: shared_preferences_android vulnerability

Impact

Patches

Workarounds

References

For more information

Thanks

Technical Details

Basic Information

Basic Information

3

3

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI