CVE-2024-33469
📋 TL;DR
This vulnerability allows a local attacker to execute arbitrary code through the onCreate method in DatabaseViewerActivity.java in Amaze File Manager. It affects users running versions 3.8.5 through 3.9.x of the application. The attacker must have local access to the device where the vulnerable app is installed.
💻 Affected Systems
- Team Amaze Amaze File Manager
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete device compromise with attacker gaining full control, data theft, and persistence through malicious code execution.
Likely Case
Local privilege escalation allowing attacker to access sensitive files, install malware, or modify system settings.
If Mitigated
Limited impact if app runs with minimal permissions and device has strong security controls.
🎯 Exploit Status
Exploitation requires local access and knowledge of the vulnerability. The attacker needs to trigger the vulnerable activity with crafted input.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v3.10 and later
Vendor Advisory: https://github.com/TeamAmaze/AmazeFileManager/releases/tag/v3.10.0
Restart Required: No
Instructions:
1. Open Google Play Store 2. Search for Amaze File Manager 3. Check if update to v3.10+ is available 4. Tap Update 5. Alternatively, download v3.10+ from GitHub releases and install manually
🔧 Temporary Workarounds
Disable or restrict app usage
AndroidTemporarily disable Amaze File Manager or restrict its usage until patched
adb shell pm disable com.amaze.filemanager
adb shell pm hide com.amaze.filemanager
🧯 If You Can't Patch
- Uninstall Amaze File Manager completely from affected devices
- Use alternative file manager applications that are not vulnerable
🔍 How to Verify
Check if Vulnerable:
Check app version in Settings > Apps > Amaze File Manager > App info. If version is between 3.8.5 and 3.9.x, it's vulnerable.Check Version:
adb shell dumpsys package com.amaze.filemanager | grep versionNameVerify Fix Applied:
Verify app version is 3.10 or higher after update. Check that DatabaseViewerActivity functions normally without crashes.📡 Detection & Monitoring
Log Indicators:
- Unusual activity in DatabaseViewerActivity
- Crash reports from Amaze File Manager
- Unexpected process execution from the app context
Network Indicators:
- None - this is a local vulnerability
SIEM Query:
app.name:"Amaze File Manager" AND (version:"3.8.5" OR version:"3.9*")