Lucene search

Fluid AttacksCVELIST:CVE-2024-2045

HistoryFeb 29, 2024 - 11:37 p.m.

CVE-2024-2045 Session 1.17.5 - LFR via chat attachment

2024-02-2923:37:37

CWE-22

Fluid Attacks

www.cve.org

cve-2024-2045

session version 1.17.5

local file read

chat attachment

application vulnerability

CVSS3

4.4

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N

AI Score

Confidence

High

EPSS

Percentile

10.5%

JSON

Session version 1.17.5 allows obtaining internal application files and public

files from the user’s device without the user’s consent. This is possible

because the application is vulnerable to Local File Read via chat attachments.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Session",
    "vendor": "Session",
    "versions": [
      {
        "status": "affected",
        "version": "1.17.5"
      }
    ]
  }
]

References

fluidattacks.com/advisories/newman/

github.com/oxen-io/session-android/

CVSS3

4.4

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N

AI Score

Confidence

High

EPSS

Percentile

10.5%

JSON

Related for CVELIST:CVE-2024-2045