- Risk: low
- CVSS v3 Base Score: 5
- CVSS v3 Vector: AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
- CWE ID: CWE-89
- CWE Name: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
- CVE: CVE-2023-23948
Description
Due to some insecure code in a exported content provider an attacker with local access could retrieve information from the ownCloud app database through SQL injection.
Affected
- ownCloud Android app < 3.0.4
Action taken
Unexported the content provider so that it’s only accessible by the ownCloud app.
Acknowledgment
This issue was discovered and reported by the CodeQL team member @atorralba (Tony Torralba).