ownCloud Android app vulnerable to Path Traversal
CVE-2023-24804

4.4MEDIUM

Key Information:

Vendor: Owncloud
Status: Android
Vendor: CVE Published:; 13 February 2023

What is CVE-2023-24804?

The ownCloud Android app allows ownCloud users to access, share, and edit files and folders. Prior to version 3.0, the app has an incomplete fix for a path traversal issue and is vulnerable to two bypass methods. The bypasses may lead to information disclosure when uploading the app’s internal files, and to arbitrary file write when uploading plain text files (although limited by the .txt extension). Version 3.0 fixes the reported bypasses.

Affected Version(s)

Android < 3.0

References

https://securitylab.github.com/advisories/GHSL-2022-059_G...

x_refsource_CONFIRM

https://hackerone.com/reports/377107

x_refsource_MISC

https://owncloud.com/security-advisories/oc-sa-2023-001/

x_refsource_MISC

CVSS V3.1

Score:

4.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 13, 2023
Vulnerability Reserved
Jan 30, 2023

Owncloud

What is CVE-2023-24804?

Affected Version(s)

References

CVSS V3.1

Timeline