CVE-2013-6774

Untrusted search path vulnerability in the ChainsDD Superuser package 3.1.3 for Android 4.2.x and earlier, CyanogenMod/ClockWorkMod/Koush Superuser package 1.0.2.1 for Android 4.2.x and earlier, and Chainfire SuperSU package before 1.69 for Android 4.2.x and earlier allows attackers to load an arbitrary .jar file and gain privileges via a crafted BOOTCLASSPATH environment variable for a /system/xbin/su process. NOTE: another researcher was unable to reproduce this with ChainsDD Superuser.

Published: Mar 31, 2014
Updated: Apr 13, 2023
CVE: CVE-2013-6774
Severity: High
Exploit:

CVSS v2:

Severity: High
Score: 10
AV:N/AC:L/Au:N/C:C/I:C/A:C

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
chainfire / supersu	1.69	1.69.x
androidsu / chainsdd_superuser	3.1.3	3.1.3.x
koushik_dutta / superuser	1.0.2.1	1.0.2.1.x

http://www.securityfocus.com/archive/1/529796
http://www.securityfocus.com/archive/1/529822

Vulnerability Database

289,697

CVE-2013-6774