Lucene search

HackeroneCVE-2024-37403

HistoryAug 07, 2024 - 4:17 a.m.

CVE-2024-37403

2024-08-0704:17:18

CWE-22

hackerone

web.nvd.nist.gov

ivanti docs@work

android

dirty stream

vulnerability

path traversal

malicious apps

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

AI Score

6.3

Confidence

Low

EPSS

0.001

Percentile

22.6%

JSON

Ivanti Docs@Work for Android, before 2.26.0 is affected by the ‘Dirty Stream’ vulnerability. The application fails to properly sanitize file names, resulting in a path traversal-affiliated vulnerability. This potentially enables other malicious apps on the device to read sensitive information stored in the app root.

Affected configurations

Nvd

Vulners

Node

ivantidocs\@workRange<2.26.0android

VendorProductVersionCPE
ivantidocs\@work*cpe:2.3:a:ivanti:docs\@work:*:*:*:*:*:android:*:*

Vendor	Product	Version	CPE
ivanti	docs\@work	*	cpe:2.3:a:ivanti:docs\@work::::::android::*

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "vendor": "Ivanti",
    "product": "Docs@Work",
    "versions": [
      {
        "version": "2.26.0",
        "status": "affected",
        "lessThan": "2.26.0",
        "versionType": "custom"
      }
    ]
  }
]

References

forums.ivanti.com/s/article/Security-Advisory-CVE-2024-37403-Dirty-Stream-for-Ivanti-Docs-Work-for-Android

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

AI Score

6.3

Confidence

Low

EPSS

0.001

Percentile

22.6%

JSON

Related for CVE-2024-37403