Vulnerability Description
The ownCloud Android app allows ownCloud users to access, share, and edit files and folders. Prior to version 3.0, the app has an incomplete fix for a path traversal issue and is vulnerable to two bypass methods. The bypasses may lead to information disclosure when uploading the app’s internal files, and to arbitrary file write when uploading plain text files (although limited by the .txt extension). Version 3.0 fixes the reported bypasses.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Owncloud | Owncloud Client | < 3.0.0 |
Related Weaknesses (CWE)
References
- https://hackerone.com/reports/377107ExploitThird Party Advisory
- https://owncloud.com/security-advisories/oc-sa-2023-001/Vendor Advisory
- https://securitylab.github.com/advisories/GHSL-2022-059_GHSL-2022-060_Owncloud_AExploitThird Party Advisory
- https://hackerone.com/reports/377107ExploitThird Party Advisory
- https://owncloud.com/security-advisories/oc-sa-2023-001/Vendor Advisory
- https://securitylab.github.com/advisories/GHSL-2022-059_GHSL-2022-060_Owncloud_AExploitThird Party Advisory
FAQ
What is CVE-2023-24804?
CVE-2023-24804 is a vulnerability with a CVSS score of 5.0 (MEDIUM). The ownCloud Android app allows ownCloud users to access, share, and edit files and folders. Prior to version 3.0, the app has an incomplete fix for a path traversal issue and is vulnerable to two byp...
How severe is CVE-2023-24804?
CVE-2023-24804 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-24804?
Check the references section above for vendor advisories and patch information. Affected products include: Owncloud Owncloud Client.