Cleartext storage of sensitive information in ownCloud Android App - #VU33682

 

Cleartext storage of sensitive information in ownCloud Android App - #VU33682

Published: August 4, 2020


Vulnerability identifier: #VU33682
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:P/AC:L/AT:P/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-312
Exploitation vector: Local access
Exploit availability: No public exploit available
Vendor: ownCloud
Affected software:
ownCloud Android App

Detailed vulnerability description

The vulnerability allows a local attacker to gain access to potentially sensitive information.

The vulnerability exists within the app lock feature such as the pincode/pattern due to creating a backup of the ownCloud Android app via adb provides access to the app preferences file. An authenticated attacker with physical access can change the values, restore the backup to the device and circumvent the lock.


Remediation

Install updates from vendor's website.

Sources