CVE-2023-23948

Summary

The ownCloud Android app allows ownCloud users to access, share, and edit files and folders. Version 2.21.1 of the ownCloud Android app is vulnerable to SQL injection in FileContentProvider.kt. This issue can lead to information disclosure. Two databases, filelist and owncloud_database, are affected. In version 3.0, the filelist database was deprecated. However, injections affecting owncloud_database remain relevant as of version 3.0.

Affected Software

VendorProductVersion RangeStatus
ownCloudAndroid<= 3.0affected

Weaknesses

  • CWE-89: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References