Lucene search

GitHub_MCVELIST:CVE-2023-24804

HistoryFeb 13, 2023 - 4:28 p.m.

CVE-2023-24804 ownCloud Android app vulnerable to Path Traversal

2023-02-1316:28:43

CWE-22

GitHub_M

www.cve.org

owncloud

android app

path traversal

information disclosure

arbitrary file write

bypass methods

version 3.0 fix

5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

5.3 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

30.7%

JSON

The ownCloud Android app allows ownCloud users to access, share, and edit files and folders. Prior to version 3.0, the app has an incomplete fix for a path traversal issue and is vulnerable to two bypass methods. The bypasses may lead to information disclosure when uploading the app’s internal files, and to arbitrary file write when uploading plain text files (although limited by the .txt extension). Version 3.0 fixes the reported bypasses.

CNA Affected

[
  {
    "vendor": "ownCloud",
    "product": "Android",
    "versions": [
      {
        "version": "< 3.0",
        "status": "affected"
      }
    ]
  }
]

References

hackerone.com/reports/377107

owncloud.com/security-advisories/oc-sa-2023-001/

securitylab.github.com/advisories/GHSL-2022-059_GHSL-2022-060_Owncloud_Android_app/

5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

5.3 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

30.7%

JSON

Related for CVELIST:CVE-2023-24804