PT-2024-03: Vulnerability of reading internal application files in OpenKeychain

MEDIUM

(5.1) CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

THREATSCAPE

Analytics articles

What are the security threats on your network?

Check your traffic-for free

Request pilot

Vendor: OpenKeychain

Product: OpenKeychain

Vulnerable version: 5.8.2 (58902)

Vulnerability type:

- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

Identifier (ID): BDU:2024-03056

Vulnerability vector:

- Base vulnerability score (CVSSv3.1): CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

- Severity (CVSSv3.1): 4.6 (medium)

- Base vulnerability score (CVSSv4.0): CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

- Severity (CVSSv4.0): 5.1 (meduim)

Description:

The vulnerability was identified in OpeKeychain v.5.8.2 (58902). It allows a potential attacker to read any files available to an application (including from the application sandbox) and save files to external storage. The vulnerability is caused by insufficient filtering of input parameters.

Vulnerability status: Confirmed by vendor

Date of vulnerability detection: 19.07.2023

Recommendations: Update to version >6.

Additional information: -

Researcher: Artem Kulakov (Positive Technologies)

Vendor:

OpenKeychain

Vulnerable product:

OpenKeychain

Get in touch

Fill in the form and our specialists
will contact you shortly

General
questions

We're happy to answer any questions you may have.

Partnership

Join us in making the world a safer place.

Request a pilot

Test drive our solutions with a customized pilot program.