SB2024041920 - Multiple vulnerabilities in Element Android
Published: April 19, 2024
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Improper restriction of communication channel to intended endpoints (CVE-ID: CVE-2024-26131)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to an intent redirection. A remote attacker can use a specially crafted application and start any internal activity by passing extra parameters.
2) Information disclosure (CVE-ID: CVE-2024-26132)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application. A remote attacker can use a specially crafted application to force sharing files stored under the "files" directory in the application’s private sandboxed data directory to an arbitrary room.
Remediation
Install update from vendor's website.
References
- https://github.com/element-hq/element-android/security/advisories/GHSA-j6pr-fpc8-q9vm
- https://github.com/element-hq/element-android/commit/53734255ec270b0814946350787393dfcaa2a5a9
- https://element.io/blog/security-release-element-android-1-6-12
- https://support.google.com/faqs/answer/9267555?hl=en
- https://github.com/element-hq/element-android/security/advisories/GHSA-8wj9-cx7h-pvm4
- https://github.com/element-hq/element-android/commit/8f9695a9a8d944cb9b92568cbd76578c51d32e07