Lucene search

HackeroneVULNRICHMENT:CVE-2024-37403

HistoryAug 07, 2024 - 3:54 a.m.

CVE-2024-37403

2024-08-0703:54:46

hackerone

github.com

ivanti docs@work

android

dirty stream

path traversal

vulnerability

sensitive information

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

AI Score

6.1

Confidence

Low

EPSS

0.001

Percentile

22.6%

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

Ivanti Docs@Work for Android, before 2.26.0 is affected by the ‘Dirty Stream’ vulnerability. The application fails to properly sanitize file names, resulting in a path traversal-affiliated vulnerability. This potentially enables other malicious apps on the device to read sensitive information stored in the app root.

CNA Affected

[
  {
    "vendor": "Ivanti",
    "product": "Docs@Work",
    "versions": [
      {
        "status": "affected",
        "version": "2.26.0",
        "lessThan": "2.26.0",
        "versionType": "custom"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

References

forums.ivanti.com/s/article/Security-Advisory-CVE-2024-37403-Dirty-Stream-for-Ivanti-Docs-Work-for-Android

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

AI Score

6.1

Confidence

Low

EPSS

0.001

Percentile

22.6%

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

Related for VULNRICHMENT:CVE-2024-37403