{"id":"CVE-2024-21633","summary":"Arbitrary file write on Decoding","details":"Apktool is a tool for reverse engineering Android APK files. In versions 2.9.1 and prior, Apktool infers resource files' output path according to their resource names which can be manipulated by attacker to place files at desired location on the system Apktool runs on. Affected environments are those in which an attacker may write/overwrite any file that user has write access, and either user name is known or cwd is under user folder. Commit d348c43b24a9de350ff6e5bd610545a10c1fc712 contains a patch for this issue.","aliases":["GHSA-2hqv-2xv4-5h5w"],"modified":"2026-04-12T08:03:50.524427Z","published":"2024-01-03T16:59:18.566Z","database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-22"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/21xxx/CVE-2024-21633.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/21xxx/CVE-2024-21633.json"},{"type":"ADVISORY","url":"https://github.com/iBotPeaches/Apktool/security/advisories/GHSA-2hqv-2xv4-5h5w"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-21633"},{"type":"FIX","url":"https://github.com/iBotPeaches/Apktool/commit/d348c43b24a9de350ff6e5bd610545a10c1fc712"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ibotpeaches/apktool","events":[{"introduced":"0"},{"fixed":"d348c43b24a9de350ff6e5bd610545a10c1fc712"}]}],"versions":["v0.9.2","v1.0.0","v1.1.0","v1.1.1","v1.2.0","v1.3.0","v1.3.1","v1.3.2","v1.4.0","v1.4.1","v1.4.2","v1.4.3","v1.5.1","v1.5.2","v2.0.0","v2.0.0-RC2","v2.0.0-RC3","v2.0.0-RC4","v2.0.1","v2.0.2","v2.0.3","v2.1.0","v2.1.1","v2.2.0","v2.2.1","v2.2.2","v2.2.3","v2.2.4","v2.3.0","v2.3.1","v2.3.2","v2.3.3","v2.3.4","v2.4.0","v2.4.1","v2.5.0","v2.6.0","v2.6.1","v2.7.0","v2.8.0","v2.8.1","v2.9.0","v2.9.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-21633.json","vanir_signatures":[{"source":"https://github.com/ibotpeaches/apktool/commit/d348c43b24a9de350ff6e5bd610545a10c1fc712","target":{"file":"brut.j.dir/src/main/java/brut/directory/FileDirectory.java"},"signature_type":"Line","signature_version":"v1","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["180344132234033290512785867089419654934","130773119975006918579846349985679671177","320470365899577863476946486915715389997","182211329058166602847101892687230906954"]},"id":"CVE-2024-21633-002eba49"},{"source":"https://github.com/ibotpeaches/apktool/commit/d348c43b24a9de350ff6e5bd610545a10c1fc712","target":{"file":"brut.j.dir/src/main/java/brut/directory/DirUtil.java"},"signature_type":"Line","signature_version":"v1","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["249858151289613368853800683827276775268","229777700531222151690555526144169675800","5716647538880407953593567819625501428","117896502084350707173374309954602308374"]},"id":"CVE-2024-21633-0c30872c"},{"source":"https://github.com/ibotpeaches/apktool/commit/d348c43b24a9de350ff6e5bd610545a10c1fc712","target":{"function":"decode","file":"brut.apktool/apktool-lib/src/main/java/brut/androlib/res/decoder/ResFileDecoder.java"},"signature_type":"Function","signature_version":"v1","deprecated":false,"digest":{"function_hash":"95027386502078978239722984392857814412","length":2308},"id":"CVE-2024-21633-34eeb22c"},{"source":"https://github.com/ibotpeaches/apktool/commit/d348c43b24a9de350ff6e5bd610545a10c1fc712","target":{"file":"brut.apktool/apktool-lib/src/test/java/brut/androlib/util/UnknownDirectoryTraversalTest.java"},"signature_type":"Line","signature_version":"v1","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["283161872531006152084767023764175310224","105510169202813355578565419802396791595","230053391891125990300618630182658482048","66734798954357317540894511251692789508","18834115132416300441916330459980731859","209641564051486011624293084282191642802","236627035268720705205482348193243797484","92201351679835345336207998308370620812","232309407376534999238709024170338445772","162936366177769798688376705571597024661","141226230107937126888289844477471713028","133382460166427470781717482804049150452","310178765865681488736575897490422793630","181661234754863124047411242296419347292","29428253273499790494015474569878666518","221094563109699199357349016474754051892","290600894177232711391002172014352009066","43478265975860832825853216576850399789","140104375340632308387802369291930625310","141472767946423914255826631226019359106","279729907399089552796848878973831155080","95415059580113813918528151100407161874","11854540960317860683571888211615749052","282963739120013895980491588561900328015","146164663064605942560229035856683688279"]},"id":"CVE-2024-21633-3a7061ee"},{"source":"https://github.com/ibotpeaches/apktool/commit/d348c43b24a9de350ff6e5bd610545a10c1fc712","target":{"function":"decodeResources","file":"brut.apktool/apktool-lib/src/main/java/brut/androlib/res/ResourcesDecoder.java"},"signature_type":"Function","signature_version":"v1","deprecated":false,"digest":{"function_hash":"135309352453870491185557149779871089182","length":1068},"id":"CVE-2024-21633-51fce822"},{"source":"https://github.com/ibotpeaches/apktool/commit/d348c43b24a9de350ff6e5bd610545a10c1fc712","target":{"file":"brut.apktool/apktool-lib/src/main/java/brut/androlib/res/decoder/ResFileDecoder.java"},"signature_type":"Line","signature_version":"v1","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["268280756020548486919845158359397408754","50627168815369557073419108339774863011","100294031798361867641352174151175965802","210840831192393554144673078954636195165","336335061129990799319731027015780061417","40468193609750454478511896804039269656","13196088508605798629764223544806870214","162981188289974034413010901213006976426","42725708681976597378273190515762183079"]},"id":"CVE-2024-21633-6654d4d8"},{"source":"https://github.com/ibotpeaches/apktool/commit/d348c43b24a9de350ff6e5bd610545a10c1fc712","target":{"file":"brut.apktool/apktool-lib/src/main/java/brut/androlib/ApkBuilder.java"},"signature_type":"Line","signature_version":"v1","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["48801637094639286651897050097762432764","153103621810736786035401827446038774494","40160486843768674930407598412800194079","23117276763797523322797657723300387455"]},"id":"CVE-2024-21633-be23b279"},{"source":"https://github.com/ibotpeaches/apktool/commit/d348c43b24a9de350ff6e5bd610545a10c1fc712","target":{"file":"brut.apktool/apktool-lib/src/main/java/brut/androlib/res/ResourcesDecoder.java"},"signature_type":"Line","signature_version":"v1","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["144896052325294589191206816056247014584","24043385085323934255019449882043098793","199205228140976643817665229075810343009","299734114791397721365662679167869371503","46455468150689368066377231146889962872","126986158835071155366618791005881934984","143980947414871705422181766612461933201","58294193776226346676052422702803174243","264008004268243083526870433262798020784","133704760324473966950624694485384588978","182812161734573552648779934594795637235","18995380298875166590755069210886797664","4083927384742699884757682987696945785","109794698433149450618534395879264028318","71790337572306094139363405579488118783","26319157840658031618749807774385183588","314560767306086143723681204192383777667","10477408975175176954937103521767184640"]},"id":"CVE-2024-21633-cfe90528"},{"source":"https://github.com/ibotpeaches/apktool/commit/d348c43b24a9de350ff6e5bd610545a10c1fc712","target":{"function":"sanitizeUnknownFile","file":"brut.j.util/src/main/java/brut/util/BrutIO.java"},"signature_type":"Function","signature_version":"v1","deprecated":false,"digest":{"function_hash":"305729855051051852695639420830314298728","length":560},"id":"CVE-2024-21633-e68b6029"},{"source":"https://github.com/ibotpeaches/apktool/commit/d348c43b24a9de350ff6e5bd610545a10c1fc712","target":{"file":"brut.j.util/src/main/java/brut/util/BrutIO.java"},"signature_type":"Line","signature_version":"v1","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["161382685874068638333085330850017945809","112220944136947889100065187663089317622","257503211091043676826994234499964412547","191191124471629645783780891425154078866","256001733525498165393895692419586586868","81620883625584142869233331011461932589","75221269197355846871719088033631957960","312387689006611689966760589221247851128","119548062635376994714548551959461593018"]},"id":"CVE-2024-21633-ef0c8142"},{"source":"https://github.com/ibotpeaches/apktool/commit/d348c43b24a9de350ff6e5bd610545a10c1fc712","target":{"file":"brut.j.dir/src/main/java/brut/directory/ZipUtils.java"},"signature_type":"Line","signature_version":"v1","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["263629784483937508657248352604329144353","134107458549837405468425862878617777276","113195190027331023759881156098291974422","231868823277573346983392962909887299617","225226734359865603129995432043178300660"]},"id":"CVE-2024-21633-f92a36bf"}],"vanir_signatures_modified":"2026-04-12T08:03:50Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}