Unintended Proxy or Intermediary ('Confused Deputy')

CVE-2023-33188

Medium

6.3/10

Summary

Omni-notes is an open source note-taking application for Android. The Omni-notes Android app had an insufficient path validation vulnerability when displaying the details of a note received through an externally-provided intent. The paths of the note's attachments were not properly validated, allowing malicious or compromised applications in the same device to force Omni-notes to copy files from its internal storage to its external storage directory, where they would have become accessible to any component with permission to read the external storage. Updating to the newest version (6.2.7) of Omni-notes Android fixes this vulnerability.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: REQUIRED
Privileges Required: LOW
Confidentiality Impact: HIGH
Availability Impact: LOW

CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy')

The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.

References

Advisory Timeline

Published May 27, 2023

Unintended Proxy or Intermediary ('Confused Deputy')

CVE-2023-33188

Summary

CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy')

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS