Lucene search

[email protected]CVE-2024-2045

HistoryMar 01, 2024 - 12:15 a.m.

CVE-2024-2045

2024-03-0100:15:52

CWE-22

[email protected]

web.nvd.nist.gov

cve-2024-2045

session version 1.17.5

local file read

user consent

nvd

4.4 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N

4.7 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

10.6%

JSON

Session version 1.17.5 allows obtaining internal application files and public

files from the user’s device without the user’s consent. This is possible

because the application is vulnerable to Local File Read via chat attachments.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Session",
    "vendor": "Session",
    "versions": [
      {
        "status": "affected",
        "version": "1.17.5"
      }
    ]
  }
]

References

fluidattacks.com/advisories/newman/

github.com/oxen-io/session-android/

4.4 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N

4.7 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

10.6%

JSON

Related for CVE-2024-2045

prion1 nvd1 cvelist1