{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-39349", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "dateUpdated": "2025-04-23T16:43:58.446Z", "dateReserved": "2022-09-02T00:00:00.000Z", "datePublished": "2022-10-25T00:00:00.000Z"}, "containers": {"cna": {"title": "Tasks.org vulnerable to data exfiltration by malicous app or adb", "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-10-25T00:00:00.000Z"}, "descriptions": [{"lang": "en", "value": "The Tasks.org Android app is an open-source app for to-do lists and reminders. The Tasks.org app uses the activity `ShareLinkActivity.kt` to handle \"share\" intents coming from other components in the same device and convert them to tasks. Those intents may contain arbitrary file paths as attachments, in which case the files pointed by those paths are copied in the app's external storage directory. Prior to versions 12.7.1 and 13.0.1, those paths were not validated, allowing a malicious or compromised application in the same device to force Tasks.org to copy files from its internal storage to its external storage directory, where they became accessible to any component with permission to read the external storage. This vulnerability can lead to sensitive information disclosure. All information in the user's notes and the app's preferences, including the encrypted credentials of CalDav integrations if enabled, could be accessed by third party applications installed on the same device. This issue was fixed in versions 12.7.1 and 13.0.1. There are no known workarounds."}], "affected": [{"vendor": "tasks", "product": "tasks", "versions": [{"version": "< 12.7.1", "status": "affected"}, {"version": "= 13.0.0", "status": "affected"}]}], "references": [{"url": "https://github.com/tasks/tasks/security/advisories/GHSA-8x58-cg74-8jg8"}, {"url": "https://github.com/tasks/tasks/commit/23bf69d3f44b07e4bc62ea107f72103239f5d942"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')", "cweId": "CWE-441"}]}, {"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-668: Exposure of Resource to Wrong Sphere", "cweId": "CWE-668"}]}], "source": {"advisory": "GHSA-8x58-cg74-8jg8", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T12:00:44.173Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/tasks/tasks/security/advisories/GHSA-8x58-cg74-8jg8", "tags": ["x_transferred"]}, {"url": "https://github.com/tasks/tasks/commit/23bf69d3f44b07e4bc62ea107f72103239f5d942", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-23T13:55:58.062634Z", "id": "CVE-2022-39349", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-23T16:43:58.446Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-39349", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "dateUpdated": "2025-04-23T16:43:58.446Z", "dateReserved": "2022-09-02T00:00:00.000Z", "datePublished": "2022-10-25T00:00:00.000Z"}, "containers": {"cna": {"title": "Tasks.org vulnerable to data exfiltration by malicous app or adb", "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-10-25T00:00:00.000Z"}, "descriptions": [{"lang": "en", "value": "The Tasks.org Android app is an open-source app for to-do lists and reminders. The Tasks.org app uses the activity `ShareLinkActivity.kt` to handle \"share\" intents coming from other components in the same device and convert them to tasks. Those intents may contain arbitrary file paths as attachments, in which case the files pointed by those paths are copied in the app's external storage directory. Prior to versions 12.7.1 and 13.0.1, those paths were not validated, allowing a malicious or compromised application in the same device to force Tasks.org to copy files from its internal storage to its external storage directory, where they became accessible to any component with permission to read the external storage. This vulnerability can lead to sensitive information disclosure. All information in the user's notes and the app's preferences, including the encrypted credentials of CalDav integrations if enabled, could be accessed by third party applications installed on the same device. This issue was fixed in versions 12.7.1 and 13.0.1. There are no known workarounds."}], "affected": [{"vendor": "tasks", "product": "tasks", "versions": [{"version": "< 12.7.1", "status": "affected"}, {"version": "= 13.0.0", "status": "affected"}]}], "references": [{"url": "https://github.com/tasks/tasks/security/advisories/GHSA-8x58-cg74-8jg8"}, {"url": "https://github.com/tasks/tasks/commit/23bf69d3f44b07e4bc62ea107f72103239f5d942"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')", "cweId": "CWE-441"}]}, {"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-668: Exposure of Resource to Wrong Sphere", "cweId": "CWE-668"}]}], "source": {"advisory": "GHSA-8x58-cg74-8jg8", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T12:00:44.173Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/tasks/tasks/security/advisories/GHSA-8x58-cg74-8jg8", "tags": ["x_transferred"]}, {"url": "https://github.com/tasks/tasks/commit/23bf69d3f44b07e4bc62ea107f72103239f5d942", "tags": ["x_transferred"]}]}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-39349", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-23T13:55:58.062634Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-23T13:55:59.405Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tasks:tasks:*:*:*:*:*:android:*:*", "matchCriteriaId": "268C3011-5D3E-433D-B34B-F32DC954D97A", "versionEndExcluding": "12.7.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:tasks:tasks:13.0.0:*:*:*:*:android:*:*", "matchCriteriaId": "CA5E120A-A1C4-4A7C-BC58-14FF05B0D3F1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Tasks.org Android app is an open-source app for to-do lists and reminders. The Tasks.org app uses the activity `ShareLinkActivity.kt` to handle \"share\" intents coming from other components in the same device and convert them to tasks. Those intents may contain arbitrary file paths as attachments, in which case the files pointed by those paths are copied in the app's external storage directory. Prior to versions 12.7.1 and 13.0.1, those paths were not validated, allowing a malicious or compromised application in the same device to force Tasks.org to copy files from its internal storage to its external storage directory, where they became accessible to any component with permission to read the external storage. This vulnerability can lead to sensitive information disclosure. All information in the user's notes and the app's preferences, including the encrypted credentials of CalDav integrations if enabled, could be accessed by third party applications installed on the same device. This issue was fixed in versions 12.7.1 and 13.0.1. There are no known workarounds."}, {"lang": "es", "value": "La aplicaci\u00f3n Tasks.org para Android es una aplicaci\u00f3n de c\u00f3digo abierto para listas de tareas y recordatorios. La aplicaci\u00f3n Tasks.org usa la actividad \"ShareLinkActivity.kt\" para manejar los intentos de \"compartir\" procedentes de otros componentes en el mismo dispositivo y convertirlos en tareas. Estos intentos pueden contener rutas de archivos arbitrarias como adjuntos, en cuyo caso los archivos apuntados por esas rutas son copiadas en el directorio de almacenamiento externo de la app. En versiones anteriores a 12.7.1 y 13.0.1, esas rutas no eran comprendidas, permitiendo que una aplicaci\u00f3n maliciosa o comprometida en el mismo dispositivo forzara a Tasks.org a copiar archivos de su almacenamiento interno a su directorio de almacenamiento externo, donde quedaban accesibles para cualquier componente con permiso para leer el almacenamiento externo. Esta vulnerabilidad puede conllevar a una divulgaci\u00f3n de informaci\u00f3n confidencial. Toda la informaci\u00f3n de las notas del usuario y de las preferencias de la aplicaci\u00f3n, incluidas las credenciales cifradas de las integraciones de CalDav si est\u00e1n activadas, pod\u00eda ser accesible por aplicaciones de terceros instaladas en el mismo dispositivo. Este problema ha sido corregido en versiones 12.7.1 y 13.0.1. No se presentan mitigaciones conocidas"}], "id": "CVE-2022-39349", "lastModified": "2024-11-21T07:18:05.543", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-10-25T17:15:56.483", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/tasks/tasks/commit/23bf69d3f44b07e4bc62ea107f72103239f5d942"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/tasks/tasks/security/advisories/GHSA-8x58-cg74-8jg8"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/tasks/tasks/commit/23bf69d3f44b07e4bc62ea107f72103239f5d942"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/tasks/tasks/security/advisories/GHSA-8x58-cg74-8jg8"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-441"}, {"lang": "en", "value": "CWE-668"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-668"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}