Bypassing Accept File Dialog Vulnerability in QuickShare/Nearby
CVE-2024-38272

4.3MEDIUM

Key Information:

Vendor
Google
Status
Nearby
Vendor
CVE Published:
26 June 2024

Badges

📈 Score: 195👾 Exploit Exists📰 News Worthy

What is CVE-2024-38272?

CVE-2024-38272 is a vulnerability affecting the Quick Share/Nearby application developed by Google. This application enables users to share files seamlessly across devices. The vulnerability allows an attacker to bypass the accept file dialog, which is a safeguard designed to ensure that users authorize file transfers. If exploited, this vulnerability could lead to unauthorized file transfers, compromising user privacy and data integrity within organizations that rely on these file-sharing capabilities.

Technical Details

CVE-2024-38272 occurs specifically in the Windows version of Quick Share/Nearby. The flaw is related to how the application manages the accept file dialog when the visibility setting is configured to "everyone" or "contacts only." Under normal operation, user consent is required to accept incoming files, but due to this vulnerability, an attacker can circumvent these required confirmations. To mitigate this risk, it is advised to upgrade to version 1.0.1724.0 or later of Quick Share.

Potential impact of CVE-2024-38272

  1. Unauthorized File Transfers: Attackers may exploit this vulnerability to send files without user consent, potentially leading to the distribution of malware or sensitive information leaks.

  2. Data Breaches: Organizations could experience data breaches if unauthorized files include sensitive or confidential information, resulting in legal ramifications and loss of trust.

  3. Reputation Damage: If exploited, this vulnerability could undermine the integrity of the organization's data management practices, potentially damaging its reputation and client relationships.

Affected Version(s)

Nearby 0 < 1.0.1724.0

News Articles

favicon imageCybersecurityNews

Google’s Quick Share for Windows Vulnerability Let Attackers Remote Code

Critical vulnerabilities in Google's Quick Share file transfer utility for Windows allowed attackers to achieve remote code execution (RCE) without user interaction. 

2 weeks ago

Google Quick Share Bug Bypasses Allow 0-Click File Transfer

Google addresses patch bypasses for CVE-2024-38272 and CVE-2024-38271, part of the previously announced &quot;QuickShell&quot; silent RCE attack chain against Windows users.

2 weeks ago

References

https://github.com/google/nearby/pull/2589
https://github.com/google/nearby/pull/2402

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 👾

    Exploit known to exist

  • 📰

    First article discovered

  • Vulnerability published

  • Vulnerability Reserved

.