Lucene search

Fluid AttacksVULNRICHMENT:CVE-2024-2045

HistoryFeb 29, 2024 - 11:37 p.m.

CVE-2024-2045 Session 1.17.5 - LFR via chat attachment

2024-02-2923:37:37

CWE-22

Fluid Attacks

github.com

session version 1.17.5

unauthorized access

user files

chat attachments

local file read

CVSS3

4.4

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N

AI Score

6.8

Confidence

High

SSVC

Exploitation

poc

Automatable

Technical Impact

partial

JSON

Session version 1.17.5 allows obtaining internal application files and public

files from the user’s device without the user’s consent. This is possible

because the application is vulnerable to Local File Read via chat attachments.

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:opft:session:1.17.5:*:*:*:*:*:*:*"
    ],
    "vendor": "opft",
    "product": "session",
    "versions": [
      {
        "status": "affected",
        "version": "1.17.5"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

References

fluidattacks.com/advisories/newman/

github.com/oxen-io/session-android/

CVSS3

4.4

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N

AI Score

6.8

Confidence

High

SSVC

Exploitation

poc

Automatable

Technical Impact

partial

JSON

Related for VULNRICHMENT:CVE-2024-2045