Plataforma
android
Componente
smp-sdk
Corregido en
3.0.9
CVE-2021-25342 describes a Denial of Service (DoS) vulnerability affecting the SMP sdk for Android applications. This vulnerability allows unauthorized actions, including a DoS attack, by exploiting the calling of a non-existent provider. The vulnerability impacts versions of the SMP sdk up to and including 3.0.9, and a patch is available in version 3.0.9.
An attacker can exploit this vulnerability by crafting a malicious request that attempts to call a provider that does not exist within the SMP sdk. This can lead to a denial of service, effectively crashing the application or preventing it from performing its intended functions. The impact can range from temporary service disruption to complete application unavailability, potentially affecting user experience and data access. Successful exploitation requires the attacker to be able to influence the application's request flow, which may be possible through malicious input or compromised components.
This CVE was published on March 4, 2021. There is no indication of active exploitation or inclusion in the CISA KEV catalog at the time of writing. Public proof-of-concept code is not readily available, suggesting a relatively low probability of immediate widespread exploitation. The vulnerability's impact is primarily focused on application stability rather than data compromise.
Android applications that utilize the SMP sdk and are running versions 3.0.9 or earlier are at risk. This includes applications that rely on the sdk for specific functionalities and those that handle user input that could be manipulated to trigger the vulnerability. Developers using the SMP sdk in their projects should prioritize upgrading to the patched version.
• android / app:
# Check for SMP sdk version
Get-Package -Name com.example.myapp | Select-Object Version• android / app:
# Check for suspicious provider calls in logs (replace 'provider_name' with actual provider name)
adb logcat | grep -i "provider_name"disclosure
Estado del Exploit
EPSS
0.05% (17% percentil)
Vector CVSS
The primary mitigation for CVE-2021-25342 is to upgrade the SMP sdk to version 3.0.9 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing input validation to prevent the application from attempting to call non-existent providers. While a direct workaround is difficult, carefully reviewing and sanitizing any user-supplied data used to construct provider calls can help reduce the attack surface. After upgrading, confirm the fix by attempting to trigger the vulnerable code path and verifying that it no longer results in a DoS.
Actualice el SMP sdk a la versión 3.0.9 o posterior. Esta versión corrige la vulnerabilidad que permite la ejecución de acciones no autorizadas y ataques de denegación de servicio.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2021-25342 is a Denial of Service vulnerability in the SMP sdk for Android, allowing attackers to crash applications by calling non-existent providers.
You are affected if your Android application uses SMP sdk version 3.0.9 or earlier. Upgrade to 3.0.9 to mitigate the risk.
Upgrade the SMP sdk to version 3.0.9 or later. Implement input validation as a temporary workaround if upgrading is not immediately possible.
There is currently no evidence of active exploitation of CVE-2021-25342.
Refer to the vendor's security advisory for details: [https://github.com/SMP-SDK/SMP-SDK/issues/110](https://github.com/SMP-SDK/SMP-SDK/issues/110)
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo build.gradle y te decimos al instante si estás afectado.