CVE-2020-36379

Vulnerability

A command injection vulnerability exists in aaptjs versions prior to and including 1.3.1. The remove function passes user-supplied input via the filePath parameter unsafely into a shell command, allowing attackers to inject arbitrary commands. The issue is documented in the project's issue tracker [2] and the official description [1] confirms the vulnerability in shenzhim aaptjs 1.3.1.

Exploitation

The attacker must be able to supply a crafted filePath argument to the remove function of the aaptjs library. No authentication or special privileges are required beyond the ability to call the vulnerable function. The exploitation sequence involves providing a file path that contains shell metacharacters (e.g., a backtick or semicolon) followed by arbitrary commands, which are then executed in the context of the process running aaptjs.

Impact

Successful exploitation allows an attacker to achieve remote code execution (RCE) with the privileges of the application using the aaptjs library. This can lead to full compromise of the host system, including data exfiltration, installation of malware, or further lateral movement within the network.

Mitigation

As of the publication date (2021-10-31), no patched version of aaptjs has been released. The official repository [3] shows no subsequent fix. Users should avoid passing untrusted input to the remove function and consider using a safer alternative or sanitizing input until a patch becomes available. There is no indication that this CVE is listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of this writing.