SQLInjection in FileContentProvider.kt

Mar 14, 2023

  • Risk: low
  • CVSS v3 Base Score: 5
  • CVSS v3 Vector: AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
  • CWE ID: CWE-89
  • CWE Name: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
  • CVE: CVE-2023-23948

Description

Due to some insecure code in a exported content provider an attacker with local access could retrieve information from the ownCloud app database through SQL injection.

Affected

  • ownCloud Android app < 3.0.4

Action taken

Unexported the content provider so that it’s only accessible by the ownCloud app.

Acknowledgment

This issue was discovered and reported by the CodeQL team member @atorralba (Tony Torralba).