CVE-2023-44128
low-risk
Published 2023-09-27
he vulnerability is to delete arbitrary files in LGInstallService ("com.lge.lginstallservies") app. The app contains the exported "com.lge.lginstallservies.InstallService" service that exposes an AIDL interface. All its "installPackage*" methods are finally calling the "installPackageVerify()" method that performs signature validation after the delete file method. An attacker can control conditions so this security check is never performed and an attacker-controlled file is deleted.
Do I need to act?
-
0.02% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.0/10
Medium
LOCAL
/ LOW complexity
Affected Products (1)
Affected Vendors
References (2)
Vendor Advisory
https://lgsecurity.lge.com/bulletins/mobile#updateDetails
Vendor Advisory
https://lgsecurity.lge.com/bulletins/mobile#updateDetails
22
/ 100
low-risk
Severity
17/34 · Moderate
Exploitability
0/34 · Minimal
Exposure
5/34 · Minimal