Insufficient path validation in Android App

Feb 13, 2023

  • Risk: low
  • CVSS v3 Base Score: 5
  • CVSS v3 Vector: AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
  • CWE ID: CWE-35
  • CWE Name: Path Traversal: ‘…/…//’
  • CVE: CVE-2023-24804

Description

Due to missing file path sanitation an attacker could read from and write to the Android app’s internal storage.

Affected

  • ownCloud app for Android < 3.0

Action taken

Added a proper sanitation and validation of the file path.

Acknowledgment

This issue was discovered and reported by the CodeQL team member @atorralba (Tony Torralba).