CVE-2023-24804

2023-02-1317:15:11

CWE-22

[email protected]

web.nvd.nist.gov

owncloud

android

app

vulnerability

path traversal

bypass

information disclosure

arbitrary file write

5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

4.7 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

30.7%

JSON

The ownCloud Android app allows ownCloud users to access, share, and edit files and folders. Prior to version 3.0, the app has an incomplete fix for a path traversal issue and is vulnerable to two bypass methods. The bypasses may lead to information disclosure when uploading the app’s internal files, and to arbitrary file write when uploading plain text files (although limited by the .txt extension). Version 3.0 fixes the reported bypasses.

Affected configurations

Vulners

NVD

Node

owncloudowncloudRange<3.0

VendorProductVersionCPE
owncloudowncloud*cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
owncloud	owncloud	*	cpe:2.3:a:owncloud:owncloud::::::::

CNA Affected

[
  {
    "vendor": "ownCloud",
    "product": "Android",
    "versions": [
      {
        "version": "< 3.0",
        "status": "affected"
      }
    ]
  }
]