CVE-2024-2045

{"id": "CVE-2024-2045", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "help@fluidattacks.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.8}, {"type": "Secondary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-03-01T00:15:52.493", "references": [{"url": "https://fluidattacks.com/advisories/newman/", "tags": ["Exploit", "Third Party Advisory"], "source": "help@fluidattacks.com"}, {"url": "https://github.com/oxen-io/session-android/", "tags": ["Product"], "source": "help@fluidattacks.com"}, {"url": "https://fluidattacks.com/advisories/newman/", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/oxen-io/session-android/", "tags": ["Product"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "help@fluidattacks.com", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "Session version 1.17.5 allows obtaining internal application files and public\n\nfiles from the user's device without the user's consent. This is possible\n\nbecause the application is vulnerable to Local File Read via chat attachments."}, {"lang": "es", "value": "La versi\u00f3n de sesi\u00f3n 1.17.5 permite obtener archivos de aplicaciones internas y archivos p\u00fablicos del dispositivo del usuario sin el consentimiento del usuario. Esto es posible porque la aplicaci\u00f3n es vulnerable a la lectura de archivos locales a trav\u00e9s de archivos adjuntos del chat."}], "lastModified": "2025-05-19T17:15:22.250", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:opft:session:1.17.5:*:*:*:*:android:*:*", "vulnerable": true, "matchCriteriaId": "E955A49B-FF35-4AC4-AD90-E7F17EE69811"}], "operator": "OR"}]}], "sourceIdentifier": "help@fluidattacks.com"}