{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-13917", "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "state": "PUBLISHED", "assignerShortName": "CERT-PL", "dateReserved": "2025-03-04T13:18:36.774Z", "datePublished": "2025-05-30T15:17:47.318Z", "dateUpdated": "2025-06-10T09:12:56.279Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "com.pri.applock", "vendor": "Kruger&Matz", "versions": [{"status": "affected", "version": "13"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Szymon Chadam"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "An&nbsp;application \"com.pri.applock\", which is pre-loaded on&nbsp;Kruger&amp;Matz smartphones, allows a user to encrypt any application using user-provided PIN code or by using biometric data.<br>Exposed \u201dcom.pri.applock.LockUI\u201c activity allows any other malicious application, with no granted Android system permissions, to inject an arbitrary intent with system-level privileges to a protected application. One must know the protecting PIN number (it might be revealed by exploiting&nbsp;CVE-2024-13916) or ask the user to provide it.<br><br>Only version (version name: 13, version code: 33) was tested and confirmed to have this vulnerability. <br>Application update was released in April 2025.<br>"}], "value": "An\u00a0application \"com.pri.applock\", which is pre-loaded on\u00a0Kruger&Matz smartphones, allows a user to encrypt any application using user-provided PIN code or by using biometric data.\nExposed \u201dcom.pri.applock.LockUI\u201c activity allows any other malicious application, with no granted Android system permissions, to inject an arbitrary intent with system-level privileges to a protected application. One must know the protecting PIN number (it might be revealed by exploiting\u00a0CVE-2024-13916) or ask the user to provide it.\n\nOnly version (version name: 13, version code: 33) was tested and confirmed to have this vulnerability. \nApplication update was released in April 2025."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "baseScore": 8.3, "baseSeverity": "HIGH", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-926", "description": "CWE-926 Improper Export of Android Application Components", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "shortName": "CERT-PL", "dateUpdated": "2025-06-10T09:12:56.279Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://cert.pl/en/posts/2025/05/CVE-2024-13915"}], "source": {"discovery": "EXTERNAL"}, "title": "Intent Injection in Kruger&Matz AppLock application", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-30T15:38:27.152404Z", "id": "CVE-2024-13917", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-30T15:38:38.937Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-13917", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-05-30T15:38:27.152404Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-30T15:38:28.985Z"}}], "cna": {"title": "Intent Injection in Kruger&Matz AppLock application", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Szymon Chadam"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.3, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Kruger&Matz", "product": "com.pri.applock", "versions": [{"status": "affected", "version": "13"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://cert.pl/en/posts/2025/05/CVE-2024-13915", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "An\u00a0application \"com.pri.applock\", which is pre-loaded on\u00a0Kruger&Matz smartphones, allows a user to encrypt any application using user-provided PIN code or by using biometric data.\nExposed \u201dcom.pri.applock.LockUI\u201c activity allows any other malicious application, with no granted Android system permissions, to inject an arbitrary intent with system-level privileges to a protected application. One must know the protecting PIN number (it might be revealed by exploiting\u00a0CVE-2024-13916) or ask the user to provide it.\n\nOnly version (version name: 13, version code: 33) was tested and confirmed to have this vulnerability. \nApplication update was released in April 2025.", "supportingMedia": [{"type": "text/html", "value": "An&nbsp;application \"com.pri.applock\", which is pre-loaded on&nbsp;Kruger&amp;Matz smartphones, allows a user to encrypt any application using user-provided PIN code or by using biometric data.<br>Exposed \u201dcom.pri.applock.LockUI\u201c activity allows any other malicious application, with no granted Android system permissions, to inject an arbitrary intent with system-level privileges to a protected application. One must know the protecting PIN number (it might be revealed by exploiting&nbsp;CVE-2024-13916) or ask the user to provide it.<br><br>Only version (version name: 13, version code: 33) was tested and confirmed to have this vulnerability. <br>Application update was released in April 2025.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-926", "description": "CWE-926 Improper Export of Android Application Components"}]}], "providerMetadata": {"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "shortName": "CERT-PL", "dateUpdated": "2025-06-10T09:12:56.279Z"}}}, "cveMetadata": {"cveId": "CVE-2024-13917", "state": "PUBLISHED", "dateUpdated": "2025-06-10T09:12:56.279Z", "dateReserved": "2025-03-04T13:18:36.774Z", "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "datePublished": "2025-05-30T15:17:47.318Z", "assignerShortName": "CERT-PL"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An\u00a0application \"com.pri.applock\", which is pre-loaded on\u00a0Kruger&Matz smartphones, allows a user to encrypt any application using user-provided PIN code or by using biometric data.\nExposed \u201dcom.pri.applock.LockUI\u201c activity allows any other malicious application, with no granted Android system permissions, to inject an arbitrary intent with system-level privileges to a protected application. One must know the protecting PIN number (it might be revealed by exploiting\u00a0CVE-2024-13916) or ask the user to provide it.\n\nOnly version (version name: 13, version code: 33) was tested and confirmed to have this vulnerability. \nApplication update was released in April 2025."}, {"lang": "es", "value": "La aplicaci\u00f3n \"com.pri.applock\", preinstalada en los smartphones Kruger&amp;Matz, permite cifrar cualquier aplicaci\u00f3n mediante el c\u00f3digo PIN proporcionado por el usuario o datos biom\u00e9tricos. La actividad expuesta de \"com.pri.applock.LockUI\" permite que cualquier otra aplicaci\u00f3n maliciosa, sin permisos del sistema Android, inyecte una intenci\u00f3n arbitraria con privilegios de sistema en una aplicaci\u00f3n protegida. Es necesario conocer el n\u00famero PIN de protecci\u00f3n (podr\u00eda revelarse mediante la explotaci\u00f3n de CVE-2024-13916) o solicitar al usuario que lo proporcione. El proveedor no proporcion\u00f3 informaci\u00f3n sobre las versiones vulnerables. Solo la versi\u00f3n (nombre de la versi\u00f3n: 13, c\u00f3digo de la versi\u00f3n: 33) fue probada y se confirm\u00f3 que presenta esta vulnerabilidad."}], "id": "CVE-2024-13917", "lastModified": "2025-06-10T10:15:26.553", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "[email protected]", "type": "Secondary"}]}, "published": "2025-05-30T16:15:36.263", "references": [{"source": "[email protected]", "url": "https://cert.pl/en/posts/2025/05/CVE-2024-13915"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-926"}], "source": "[email protected]", "type": "Secondary"}]}

{}