SB2023010313 - Multiple vulnerabilities in ownCloud Android App
Published: January 3, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Incorrect default permissions (CVE-ID: CVE-2022-25339)
CWE-ID: CWE-276 - Incorrect Default Permissions
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local application to gain access to sensitive application files.
The vulnerability exists due to incorrect default permissions for files and folders that are set by the application. A local application can access internal files of the application.
2) Security features bypass (CVE-ID: CVE-2022-25338)
CWE-ID: CWE-254 - Security Features
CVSSv4: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows an attacker to bypass implemented security features.
The vulnerability exists due to unspecified error in the app lock functionality. An attacker with physical access to device can bypass the app lock and gain unauthorized access to the application.
Remediation
Install update from vendor's website.