CVE-2022-39349 : The Tasks.org Android app is an open-source app for to-do lists and reminders. T

The Tasks.org Android app is an open-source app for to-do lists and reminders. The Tasks.org app uses the activity `ShareLinkActivity.kt` to handle "share" intents coming from other components in the same device and convert them to tasks. Those intents may contain arbitrary file paths as attachments, in which case the files pointed by those paths are copied in the app's external storage directory. Prior to versions 12.7.1 and 13.0.1, those paths were not validated, allowing a malicious or compromised application in the same device to force Tasks.org to copy files from its internal storage to its external storage directory, where they became accessible to any component with permission to read the external storage. This vulnerability can lead to sensitive information disclosure. All information in the user's notes and the app's preferences, including the encrypted credentials of CalDav integrations if enabled, could be accessed by third party applications installed on the same device. This issue was fixed in versions 12.7.1 and 13.0.1. There are no known workarounds.

Published 2022-10-25 17:15:56

Updated 2022-10-28 19:25:25

Source GitHub, Inc.

View at NVD, CVE.org

Products affected by CVE-2022-39349

Tasks » Tasks » For Android
Versions before (<) 12.7.1
cpe:2.3:a:tasks:tasks:*:*:*:*:*:android:*:*
Matching versions
Tasks » Tasks » Version: 13.0.0 For Android
cpe:2.3:a:tasks:tasks:13.0.0:*:*:*:*:android:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-39349

EPSS FAQ

0.03%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 5 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-39349

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.5	MEDIUM	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N	1.8	3.6	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None
5.5	MEDIUM	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N	1.8	3.6	GitHub, Inc.
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2022-39349

CWE-441 Unintended Proxy or Intermediary ('Confused Deputy')

The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.

Assigned by: security-advisories@github.com (Secondary)
CWE-668 Exposure of Resource to Wrong Sphere

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
Assigned by:
- nvd@nist.gov (Primary)
- security-advisories@github.com (Secondary)

References for CVE-2022-39349

https://github.com/tasks/tasks/commit/23bf69d3f44b07e4bc62ea107f72103239f5d942

Only accept content URIs in share activity · tasks/tasks@23bf69d · GitHub
Patch;Third Party Advisory
https://github.com/tasks/tasks/security/advisories/GHSA-8x58-cg74-8jg8

Data exfiltration by malicous app or adb · Advisory · tasks/tasks · GitHub
Patch;Third Party Advisory

Jump to

Vulnerability Details : CVE-2022-39349

Products affected by CVE-2022-39349

Exploit prediction scoring system (EPSS) score for CVE-2022-39349

CVSS scores for CVE-2022-39349

CWE ids for CVE-2022-39349

References for CVE-2022-39349