Remote code execution in YouTube Android Player API SDK
CVE-2023-0460

5.1MEDIUM

Key Information:

Vendor: Google
Status: Youtube Android Player Api Sdk
Vendor: CVE Published:; 1 March 2023

What is CVE-2023-0460?

The YouTube Embedded SDK version 1.2 is prone to a code execution vulnerability due to improper handling of service bindings. This flaw allows attackers to replace the intended service with a malicious app, enabling arbitrary code execution when the SDK is invoked. An attacker can exploit this by masquerading as the YouTube app and distributing both the malicious app and the SDK to unsuspecting users outside of the Play Store. This vulnerability highlights critical risks associated with service binding and remote code execution in mobile applications.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

YouTube Android Player API SDK 1.2 <= 1.2.2

References

https://developers.google.com/youtube/android/player/down...

CVSS V3.1

Score:

5.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Adjacent Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Mar 1, 2023
Vulnerability Reserved
Jan 24, 2023

JSON

Google