mobsf@3.2.8 vulnerabilities

Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.

Direct Vulnerabilities

Known vulnerabilities in the mobsf package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Arbitrary File Write via Archive Extraction (Zip Slip)

mobsf is a Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.

Affected versions of this package are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) via the ar_extract function in the shared_func.py component during the extraction of .a extension files. This vulnerability derives due to improper user input sanitization, allowing an attacker to bypass existing protections using sequences like ....//....//....//.

Exploiting this vulnerability allows an attacker to write arbitrary files to any location on the server by manipulating the file path in the archive.

How to fix Arbitrary File Write via Archive Extraction (Zip Slip)?

A fix was pushed into the master branch but not yet published.

[0,)
  • M
URL Redirection to Untrusted Site ('Open Redirect')

mobsf is a Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.

Affected versions of this package are vulnerable to URL Redirection to Untrusted Site ('Open Redirect') through the authentication view by manipulating the redirect URL after a successful login.

Note:* This is only exploitable if the authentication feature is enabled.

How to fix URL Redirection to Untrusted Site ('Open Redirect')?

A fix was pushed into the master branch but not yet published.

[0,)
  • M
Server-Side Request Forgery (SSRF)

mobsf is a Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.

Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF) due to the firebase database check logic. An attacker can cause the server to make connections to internal-only services within the organization's infrastructure by uploading a malicious app to the Static analyzer, enabling internal requests.

How to fix Server-Side Request Forgery (SSRF)?

Upgrade mobsf to version 4.1.3 or higher.

[,4.1.3)
  • H
Insecure Permissions

mobsf is a Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.

Affected versions of this package are vulnerable to Insecure Permissions due to missing access restrictions. An attacker can append /recent_scans/ to the URL after the homepage and gain access to APK or IPA reports, potentially leading to sensitive information disclosure.

How to fix Insecure Permissions?

There is no fixed version for mobsf.

[0,)