CVE-2024-13917 (GCVE-0-2024-13917)
Vulnerability from cvelistv5
Published
2025-05-30 15:17
Modified
2025-06-10 09:12
Severity ?
8.3 (High) - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
CWE
  • CWE-926 - Improper Export of Android Application Components
Summary
An application "com.pri.applock", which is pre-loaded on Kruger&Matz smartphones, allows a user to encrypt any application using user-provided PIN code or by using biometric data. Exposed ”com.pri.applock.LockUI“ activity allows any other malicious application, with no granted Android system permissions, to inject an arbitrary intent with system-level privileges to a protected application. One must know the protecting PIN number (it might be revealed by exploiting CVE-2024-13916) or ask the user to provide it. Only version (version name: 13, version code: 33) was tested and confirmed to have this vulnerability. Application update was released in April 2025.
References
cvd@cert.plhttps://cert.pl/en/posts/2025/05/CVE-2024-13915
Impacted products
Vendor Product Version
Kruger&Matz com.pri.applock Version: 13
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-13917",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-30T15:38:27.152404Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-30T15:38:38.937Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "com.pri.applock",
          "vendor": "Kruger\u0026Matz",
          "versions": [
            {
              "status": "affected",
              "version": "13"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Szymon Chadam"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "An\u0026nbsp;application \"com.pri.applock\", which is pre-loaded on\u0026nbsp;Kruger\u0026amp;Matz smartphones, allows a user to encrypt any application using user-provided PIN code or by using biometric data.\u003cbr\u003eExposed \u201dcom.pri.applock.LockUI\u201c activity allows any other malicious application, with no granted Android system permissions, to inject an arbitrary intent with system-level privileges to a protected application. One must know the protecting PIN number (it might be revealed by exploiting\u0026nbsp;CVE-2024-13916) or ask the user to provide it.\u003cbr\u003e\u003cbr\u003eOnly version (version name: 13, version code: 33) was tested and confirmed to have this vulnerability. \u003cbr\u003eApplication update was released in April 2025.\u003cbr\u003e"
            }
          ],
          "value": "An\u00a0application \"com.pri.applock\", which is pre-loaded on\u00a0Kruger\u0026Matz smartphones, allows a user to encrypt any application using user-provided PIN code or by using biometric data.\nExposed \u201dcom.pri.applock.LockUI\u201c activity allows any other malicious application, with no granted Android system permissions, to inject an arbitrary intent with system-level privileges to a protected application. One must know the protecting PIN number (it might be revealed by exploiting\u00a0CVE-2024-13916) or ask the user to provide it.\n\nOnly version (version name: 13, version code: 33) was tested and confirmed to have this vulnerability. \nApplication update was released in April 2025."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 8.3,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "ACTIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-926",
              "description": "CWE-926 Improper Export of Android Application Components",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-10T09:12:56.279Z",
        "orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
        "shortName": "CERT-PL"
      },
      "references": [
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://cert.pl/en/posts/2025/05/CVE-2024-13915"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Intent Injection in Kruger\u0026Matz AppLock application",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
    "assignerShortName": "CERT-PL",
    "cveId": "CVE-2024-13917",
    "datePublished": "2025-05-30T15:17:47.318Z",
    "dateReserved": "2025-03-04T13:18:36.774Z",
    "dateUpdated": "2025-06-10T09:12:56.279Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-13917\",\"sourceIdentifier\":\"cvd@cert.pl\",\"published\":\"2025-05-30T16:15:36.263\",\"lastModified\":\"2025-06-10T10:15:26.553\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An\u00a0application \\\"com.pri.applock\\\", which is pre-loaded on\u00a0Kruger\u0026Matz smartphones, allows a user to encrypt any application using user-provided PIN code or by using biometric data.\\nExposed \u201dcom.pri.applock.LockUI\u201c activity allows any other malicious application, with no granted Android system permissions, to inject an arbitrary intent with system-level privileges to a protected application. One must know the protecting PIN number (it might be revealed by exploiting\u00a0CVE-2024-13916) or ask the user to provide it.\\n\\nOnly version (version name: 13, version code: 33) was tested and confirmed to have this vulnerability. \\nApplication update was released in April 2025.\"},{\"lang\":\"es\",\"value\":\"La aplicaci\u00f3n \\\"com.pri.applock\\\", preinstalada en los smartphones Kruger\u0026amp;Matz, permite cifrar cualquier aplicaci\u00f3n mediante el c\u00f3digo PIN proporcionado por el usuario o datos biom\u00e9tricos. La actividad expuesta de \\\"com.pri.applock.LockUI\\\" permite que cualquier otra aplicaci\u00f3n maliciosa, sin permisos del sistema Android, inyecte una intenci\u00f3n arbitraria con privilegios de sistema en una aplicaci\u00f3n protegida. Es necesario conocer el n\u00famero PIN de protecci\u00f3n (podr\u00eda revelarse mediante la explotaci\u00f3n de CVE-2024-13916) o solicitar al usuario que lo proporcione. El proveedor no proporcion\u00f3 informaci\u00f3n sobre las versiones vulnerables. Solo la versi\u00f3n (nombre de la versi\u00f3n: 13, c\u00f3digo de la versi\u00f3n: 33) fue probada y se confirm\u00f3 que presenta esta vulnerabilidad.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"cvd@cert.pl\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":8.3,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"ACTIVE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"cvd@cert.pl\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-926\"}]}],\"references\":[{\"url\":\"https://cert.pl/en/posts/2025/05/CVE-2024-13915\",\"source\":\"cvd@cert.pl\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-13917\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-05-30T15:38:27.152404Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-05-30T15:38:28.985Z\"}}], \"cna\": {\"title\": \"Intent Injection in Kruger\u0026Matz AppLock application\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Szymon Chadam\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 8.3, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"ACTIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Kruger\u0026Matz\", \"product\": \"com.pri.applock\", \"versions\": [{\"status\": \"affected\", \"version\": \"13\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://cert.pl/en/posts/2025/05/CVE-2024-13915\", \"tags\": [\"third-party-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"An\\u00a0application \\\"com.pri.applock\\\", which is pre-loaded on\\u00a0Kruger\u0026Matz smartphones, allows a user to encrypt any application using user-provided PIN code or by using biometric data.\\nExposed \\u201dcom.pri.applock.LockUI\\u201c activity allows any other malicious application, with no granted Android system permissions, to inject an arbitrary intent with system-level privileges to a protected application. One must know the protecting PIN number (it might be revealed by exploiting\\u00a0CVE-2024-13916) or ask the user to provide it.\\n\\nOnly version (version name: 13, version code: 33) was tested and confirmed to have this vulnerability. \\nApplication update was released in April 2025.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"An\u0026nbsp;application \\\"com.pri.applock\\\", which is pre-loaded on\u0026nbsp;Kruger\u0026amp;Matz smartphones, allows a user to encrypt any application using user-provided PIN code or by using biometric data.\u003cbr\u003eExposed \\u201dcom.pri.applock.LockUI\\u201c activity allows any other malicious application, with no granted Android system permissions, to inject an arbitrary intent with system-level privileges to a protected application. One must know the protecting PIN number (it might be revealed by exploiting\u0026nbsp;CVE-2024-13916) or ask the user to provide it.\u003cbr\u003e\u003cbr\u003eOnly version (version name: 13, version code: 33) was tested and confirmed to have this vulnerability. \u003cbr\u003eApplication update was released in April 2025.\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-926\", \"description\": \"CWE-926 Improper Export of Android Application Components\"}]}], \"providerMetadata\": {\"orgId\": \"4bb8329e-dd38-46c1-aafb-9bf32bcb93c6\", \"shortName\": \"CERT-PL\", \"dateUpdated\": \"2025-06-10T09:12:56.279Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-13917\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-06-10T09:12:56.279Z\", \"dateReserved\": \"2025-03-04T13:18:36.774Z\", \"assignerOrgId\": \"4bb8329e-dd38-46c1-aafb-9bf32bcb93c6\", \"datePublished\": \"2025-05-30T15:17:47.318Z\", \"assignerShortName\": \"CERT-PL\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.