CVE-2024-24482: 
NixOS vulnerability analysis and mitigation

A directory traversal vulnerability was discovered in Apktool versions before 2.9.3 on Windows systems. The vulnerability, identified as CVE-2024-24482, was reported on January 20, 2024. The issue allows attackers to perform directory traversal using '../' and '/..' patterns when processing resource files during APK decoding operations (GitHub Advisory).

The vulnerability stems from insufficient path filtering in Apktool's resource handling mechanism. The tool infers resource files' output paths based on their resource names, following the pattern [output-dir]/res/[type]/[resource-name]+[ext of (resource-file)]. The security check implementation failed to properly detect directory traversal attempts on Windows systems, allowing manipulation of resource names to bypass the existing security controls (GitHub Advisory).

The vulnerability has been assigned a High severity rating with a CVSS score of 7.1. When exploited, it can lead to high impact on both confidentiality and integrity of the affected system, potentially allowing attackers to write files to arbitrary locations on Windows systems (GitHub Advisory).

Users are advised to upgrade to Apktool version 2.9.3 or later, which contains the fix for this vulnerability. The patched version implements improved path filtering mechanisms to prevent directory traversal attacks (GitHub Advisory).