Improper Preservation of Permissions

CVE-2023-28646

Medium

4.4/10

Summary

Nextcloud android is an android app for interfacing with the nextcloud home server ecosystem. In versions from 3.7.0 and before 3.24.1 an attacker that has access to the unlocked physical device can bypass the Nextcloud Android Pin/passcode protection via a thirdparty app. This allows to see meta information like sharer, sharees and activity of files. It is recommended that the Nextcloud Android app is upgraded to 3.24.1. There are no known workarounds for this vulnerability.

Attack Complexity: HIGH
Attack Vector: PHYSICAL
Integrity Impact: LOW
Scope: CHANGED
User Interaction: REQUIRED
Privileges Required: LOW
Confidentiality Impact: LOW
Availability Impact: LOW

CWE-281 - Improper Preservation of Permissions

The software does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.

References

Advisory Timeline

Published Mar 30, 2023

Improper Preservation of Permissions

CVE-2023-28646

Summary

CWE-281 - Improper Preservation of Permissions

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS