Remote code execution in YouTube Android Player API SDK
CVE-2023-0460

7.3HIGH

Key Information:

Vendor: Google
Status: YouTube Android Player API SDK
Vendor: CVE Published:; 1 March 2023

Summary

The YouTube Embedded SDK version 1.2 is prone to a code execution vulnerability due to improper handling of service bindings. This flaw allows attackers to replace the intended service with a malicious app, enabling arbitrary code execution when the SDK is invoked. An attacker can exploit this by masquerading as the YouTube app and distributing both the malicious app and the SDK to unsuspecting users outside of the Play Store. This vulnerability highlights critical risks associated with service binding and remote code execution in mobile applications.

Affected Version(s)

YouTube Android Player API SDK 1.2 <= 1.2.2

References

https://developers.google.com/youtube/android/player/down...

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Mar 1, 2023
Vulnerability Reserved
Jan 24, 2023

Collectors

NVD DatabaseMitre Database