CVE-2022-39349

Tasks.org vulnerable to data exfiltration by malicous app or adb

Severity Score

5.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The Tasks.org Android app is an open-source app for to-do lists and reminders. The Tasks.org app uses the activity `ShareLinkActivity.kt` to handle "share" intents coming from other components in the same device and convert them to tasks. Those intents may contain arbitrary file paths as attachments, in which case the files pointed by those paths are copied in the app's external storage directory. Prior to versions 12.7.1 and 13.0.1, those paths were not validated, allowing a malicious or compromised application in the same device to force Tasks.org to copy files from its internal storage to its external storage directory, where they became accessible to any component with permission to read the external storage. This vulnerability can lead to sensitive information disclosure. All information in the user's notes and the app's preferences, including the encrypted credentials of CalDav integrations if enabled, could be accessed by third party applications installed on the same device. This issue was fixed in versions 12.7.1 and 13.0.1. There are no known workarounds.

La aplicación Tasks.org para Android es una aplicación de código abierto para listas de tareas y recordatorios. La aplicación Tasks.org usa la actividad "ShareLinkActivity.kt" para manejar los intentos de "compartir" procedentes de otros componentes en el mismo dispositivo y convertirlos en tareas. Estos intentos pueden contener rutas de archivos arbitrarias como adjuntos, en cuyo caso los archivos apuntados por esas rutas son copiadas en el directorio de almacenamiento externo de la app. En versiones anteriores a 12.7.1 y 13.0.1, esas rutas no eran comprendidas, permitiendo que una aplicación maliciosa o comprometida en el mismo dispositivo forzara a Tasks.org a copiar archivos de su almacenamiento interno a su directorio de almacenamiento externo, donde quedaban accesibles para cualquier componente con permiso para leer el almacenamiento externo. Esta vulnerabilidad puede conllevar a una divulgación de información confidencial. Toda la información de las notas del usuario y de las preferencias de la aplicación, incluidas las credenciales cifradas de las integraciones de CalDav si están activadas, podía ser accesible por aplicaciones de terceros instaladas en el mismo dispositivo. Este problema ha sido corregido en versiones 12.7.1 y 13.0.1. No se presentan mitigaciones conocidas

*Credits: N/A

CVSS Scores

NISTv3.1 5.5

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-09-02 CVE Reserved
2022-10-25 CVE Published
2024-05-17 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')
CWE-668: Exposure of Resource to Wrong Sphere

CAPEC

References (2)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC
https://github.com/tasks/tasks/commit/23bf69d3f44b07e4bc62ea107f72103239f5d942	2022-10-28
https://github.com/tasks/tasks/security/advisories/GHSA-8x58-cg74-8jg8	2022-10-28

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Tasks Search vendor "Tasks"		Tasks Search vendor "Tasks" for product "Tasks"				< 12.7.1 Search vendor "Tasks" for product "Tasks" and version " < 12.7.1"		android		Affected
Tasks Search vendor "Tasks"		Tasks Search vendor "Tasks" for product "Tasks"				13.0.0 Search vendor "Tasks" for product "Tasks" and version "13.0.0"		android		Affected