CVE-2024-2045

Session version 1.17.5 allows obtaining internal application files and public files from the user's device without the user's consent. This is possible because the application is vulnerable to Local File Read via chat attachments.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://fluidattacks.com/advisories/newman/	Exploit Third Party Advisory
https://github.com/oxen-io/session-android/	Product
https://fluidattacks.com/advisories/newman/	Exploit Third Party Advisory
https://github.com/oxen-io/session-android/	Product

Configurations

Configuration 1 (hide)

cpe:2.3:a:opft:session:1.17.5:*:*:*:*:android:*:*

History

19 May 2025, 17:15

Type	Values Removed	Values Added
First Time		Opft Opft session
CVSS	v2 : ~~unknown~~ v3 : ~~4.4~~	v2 : unknown v3 : 5.5
References	~~() https://fluidattacks.com/advisories/newman/ -~~	() https://fluidattacks.com/advisories/newman/ - Exploit, Third Party Advisory
References	~~() https://github.com/oxen-io/session-android/ -~~	() https://github.com/oxen-io/session-android/ - Product
CPE		cpe:2.3:a:opft:session:1.17.5:::::android::
Summary	(en) Session version 1.17.5 allows obtaining internal application files and public files from the user's device without the user's consent. This is possible because the application is vulnerable to Local File Read via chat attachments.	(en) Session version 1.17.5 allows obtaining internal application files and public files from the user's device without the user's consent. This is possible because the application is vulnerable to Local File Read via chat attachments.

Information

Published : 2024-03-01 00:15

Updated : 2025-05-19 17:15

NVD link : CVE-2024-2045

Mitre link : CVE-2024-2045

CVE.ORG link : CVE-2024-2045

JSON object : View

Products Affected

opft

session

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2024-2045", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "help@fluidattacks.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.8}, {"type": "Secondary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-03-01T00:15:52.493", "references": [{"url": "https://fluidattacks.com/advisories/newman/", "tags": ["Exploit", "Third Party Advisory"], "source": "help@fluidattacks.com"}, {"url": "https://github.com/oxen-io/session-android/", "tags": ["Product"], "source": "help@fluidattacks.com"}, {"url": "https://fluidattacks.com/advisories/newman/", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/oxen-io/session-android/", "tags": ["Product"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "help@fluidattacks.com", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "Session version 1.17.5 allows obtaining internal application files and public\n\nfiles from the user's device without the user's consent. This is possible\n\nbecause the application is vulnerable to Local File Read via chat attachments."}, {"lang": "es", "value": "La versi\u00f3n de sesi\u00f3n 1.17.5 permite obtener archivos de aplicaciones internas y archivos p\u00fablicos del dispositivo del usuario sin el consentimiento del usuario. Esto es posible porque la aplicaci\u00f3n es vulnerable a la lectura de archivos locales a trav\u00e9s de archivos adjuntos del chat."}], "lastModified": "2025-05-19T17:15:22.250", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:opft:session:1.17.5:*:*:*:*:android:*:*", "vulnerable": true, "matchCriteriaId": "E955A49B-FF35-4AC4-AD90-E7F17EE69811"}], "operator": "OR"}]}], "sourceIdentifier": "help@fluidattacks.com"}