CVE-2022-39349 (GCVE-0-2022-39349)

Vulnerability from cvelistv5 – Published: 2022-10-25 00:00 – Updated: 2025-04-23 16:43
VLAI
Title
Tasks.org vulnerable to data exfiltration by malicous app or adb
Summary
The Tasks.org Android app is an open-source app for to-do lists and reminders. The Tasks.org app uses the activity `ShareLinkActivity.kt` to handle "share" intents coming from other components in the same device and convert them to tasks. Those intents may contain arbitrary file paths as attachments, in which case the files pointed by those paths are copied in the app's external storage directory. Prior to versions 12.7.1 and 13.0.1, those paths were not validated, allowing a malicious or compromised application in the same device to force Tasks.org to copy files from its internal storage to its external storage directory, where they became accessible to any component with permission to read the external storage. This vulnerability can lead to sensitive information disclosure. All information in the user's notes and the app's preferences, including the encrypted credentials of CalDav integrations if enabled, could be accessed by third party applications installed on the same device. This issue was fixed in versions 12.7.1 and 13.0.1. There are no known workarounds.
Severity
5.5 (Medium)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CWE
  • CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy')
  • CWE-668 - Exposure of Resource to Wrong Sphere
Assigner
References
Impacted products
Vendor Product Version
tasks tasks Affected: < 12.7.1
Affected: = 13.0.0
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T12:00:44.173Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/tasks/tasks/security/advisories/GHSA-8x58-cg74-8jg8"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/tasks/tasks/commit/23bf69d3f44b07e4bc62ea107f72103239f5d942"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-39349",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-23T13:55:58.062634Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-23T16:43:58.446Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "tasks",
          "vendor": "tasks",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 12.7.1"
            },
            {
              "status": "affected",
              "version": "= 13.0.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Tasks.org Android app is an open-source app for to-do lists and reminders. The Tasks.org app uses the activity `ShareLinkActivity.kt` to handle \"share\" intents coming from other components in the same device and convert them to tasks. Those intents may contain arbitrary file paths as attachments, in which case the files pointed by those paths are copied in the app\u0027s external storage directory. Prior to versions 12.7.1 and 13.0.1, those paths were not validated, allowing a malicious or compromised application in the same device to force Tasks.org to copy files from its internal storage to its external storage directory, where they became accessible to any component with permission to read the external storage. This vulnerability can lead to sensitive information disclosure. All information in the user\u0027s notes and the app\u0027s preferences, including the encrypted credentials of CalDav integrations if enabled, could be accessed by third party applications installed on the same device. This issue was fixed in versions 12.7.1 and 13.0.1. There are no known workarounds."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-441",
              "description": "CWE-441: Unintended Proxy or Intermediary (\u0027Confused Deputy\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-668",
              "description": "CWE-668: Exposure of Resource to Wrong Sphere",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-10-25T00:00:00.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "url": "https://github.com/tasks/tasks/security/advisories/GHSA-8x58-cg74-8jg8"
        },
        {
          "url": "https://github.com/tasks/tasks/commit/23bf69d3f44b07e4bc62ea107f72103239f5d942"
        }
      ],
      "source": {
        "advisory": "GHSA-8x58-cg74-8jg8",
        "discovery": "UNKNOWN"
      },
      "title": "Tasks.org vulnerable to data exfiltration by malicous app or adb"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-39349",
    "datePublished": "2022-10-25T00:00:00.000Z",
    "dateReserved": "2022-09-02T00:00:00.000Z",
    "dateUpdated": "2025-04-23T16:43:58.446Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2022-39349",
      "date": "2026-05-25",
      "epss": "0.00018",
      "percentile": "0.05225"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-39349\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2022-10-25T17:15:56.483\",\"lastModified\":\"2024-11-21T07:18:05.543\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The Tasks.org Android app is an open-source app for to-do lists and reminders. The Tasks.org app uses the activity `ShareLinkActivity.kt` to handle \\\"share\\\" intents coming from other components in the same device and convert them to tasks. Those intents may contain arbitrary file paths as attachments, in which case the files pointed by those paths are copied in the app\u0027s external storage directory. Prior to versions 12.7.1 and 13.0.1, those paths were not validated, allowing a malicious or compromised application in the same device to force Tasks.org to copy files from its internal storage to its external storage directory, where they became accessible to any component with permission to read the external storage. This vulnerability can lead to sensitive information disclosure. All information in the user\u0027s notes and the app\u0027s preferences, including the encrypted credentials of CalDav integrations if enabled, could be accessed by third party applications installed on the same device. This issue was fixed in versions 12.7.1 and 13.0.1. There are no known workarounds.\"},{\"lang\":\"es\",\"value\":\"La aplicaci\u00f3n Tasks.org para Android es una aplicaci\u00f3n de c\u00f3digo abierto para listas de tareas y recordatorios. La aplicaci\u00f3n Tasks.org usa la actividad \\\"ShareLinkActivity.kt\\\" para manejar los intentos de \\\"compartir\\\" procedentes de otros componentes en el mismo dispositivo y convertirlos en tareas. Estos intentos pueden contener rutas de archivos arbitrarias como adjuntos, en cuyo caso los archivos apuntados por esas rutas son copiadas en el directorio de almacenamiento externo de la app. En versiones anteriores a 12.7.1 y 13.0.1, esas rutas no eran comprendidas, permitiendo que una aplicaci\u00f3n maliciosa o comprometida en el mismo dispositivo forzara a Tasks.org a copiar archivos de su almacenamiento interno a su directorio de almacenamiento externo, donde quedaban accesibles para cualquier componente con permiso para leer el almacenamiento externo. Esta vulnerabilidad puede conllevar a una divulgaci\u00f3n de informaci\u00f3n confidencial. Toda la informaci\u00f3n de las notas del usuario y de las preferencias de la aplicaci\u00f3n, incluidas las credenciales cifradas de las integraciones de CalDav si est\u00e1n activadas, pod\u00eda ser accesible por aplicaciones de terceros instaladas en el mismo dispositivo. Este problema ha sido corregido en versiones 12.7.1 y 13.0.1. No se presentan mitigaciones conocidas\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-441\"},{\"lang\":\"en\",\"value\":\"CWE-668\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-668\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:tasks:tasks:*:*:*:*:*:android:*:*\",\"versionEndExcluding\":\"12.7.1\",\"matchCriteriaId\":\"268C3011-5D3E-433D-B34B-F32DC954D97A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:tasks:tasks:13.0.0:*:*:*:*:android:*:*\",\"matchCriteriaId\":\"CA5E120A-A1C4-4A7C-BC58-14FF05B0D3F1\"}]}]}],\"references\":[{\"url\":\"https://github.com/tasks/tasks/commit/23bf69d3f44b07e4bc62ea107f72103239f5d942\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/tasks/tasks/security/advisories/GHSA-8x58-cg74-8jg8\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/tasks/tasks/commit/23bf69d3f44b07e4bc62ea107f72103239f5d942\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/tasks/tasks/security/advisories/GHSA-8x58-cg74-8jg8\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"Tasks.org vulnerable to data exfiltration by malicous app or adb\", \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2022-10-25T00:00:00.000Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"The Tasks.org Android app is an open-source app for to-do lists and reminders. The Tasks.org app uses the activity `ShareLinkActivity.kt` to handle \\\"share\\\" intents coming from other components in the same device and convert them to tasks. Those intents may contain arbitrary file paths as attachments, in which case the files pointed by those paths are copied in the app\u0027s external storage directory. Prior to versions 12.7.1 and 13.0.1, those paths were not validated, allowing a malicious or compromised application in the same device to force Tasks.org to copy files from its internal storage to its external storage directory, where they became accessible to any component with permission to read the external storage. This vulnerability can lead to sensitive information disclosure. All information in the user\u0027s notes and the app\u0027s preferences, including the encrypted credentials of CalDav integrations if enabled, could be accessed by third party applications installed on the same device. This issue was fixed in versions 12.7.1 and 13.0.1. There are no known workarounds.\"}], \"affected\": [{\"vendor\": \"tasks\", \"product\": \"tasks\", \"versions\": [{\"version\": \"\u003c 12.7.1\", \"status\": \"affected\"}, {\"version\": \"= 13.0.0\", \"status\": \"affected\"}]}], \"references\": [{\"url\": \"https://github.com/tasks/tasks/security/advisories/GHSA-8x58-cg74-8jg8\"}, {\"url\": \"https://github.com/tasks/tasks/commit/23bf69d3f44b07e4bc62ea107f72103239f5d942\"}], \"metrics\": [{\"cvssV3_1\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\", \"baseScore\": 5.5, \"baseSeverity\": \"MEDIUM\"}}], \"problemTypes\": [{\"descriptions\": [{\"type\": \"CWE\", \"lang\": \"en\", \"description\": \"CWE-441: Unintended Proxy or Intermediary (\u0027Confused Deputy\u0027)\", \"cweId\": \"CWE-441\"}]}, {\"descriptions\": [{\"type\": \"CWE\", \"lang\": \"en\", \"description\": \"CWE-668: Exposure of Resource to Wrong Sphere\", \"cweId\": \"CWE-668\"}]}], \"source\": {\"advisory\": \"GHSA-8x58-cg74-8jg8\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T12:00:44.173Z\"}, \"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/tasks/tasks/security/advisories/GHSA-8x58-cg74-8jg8\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://github.com/tasks/tasks/commit/23bf69d3f44b07e4bc62ea107f72103239f5d942\", \"tags\": [\"x_transferred\"]}]}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-39349\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-23T13:55:58.062634Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-23T13:55:59.405Z\"}}]}",
      "cveMetadata": "{\"state\": \"PUBLISHED\", \"cveId\": \"CVE-2022-39349\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"assignerShortName\": \"GitHub_M\", \"dateUpdated\": \"2025-04-23T16:43:58.446Z\", \"dateReserved\": \"2022-09-02T00:00:00.000Z\", \"datePublished\": \"2022-10-25T00:00:00.000Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.