Description for CVE-2024-25466
[Suggested description]
Directory Traversal vulnerability in React Native Document Picker before v.9.1.1 and fixed in v.9.1.1 allows a local attacker to execute arbitrary code via a crafted script to the Android library component.
[Vulnerability Type]
Directory Traversal
[Vendor of Product]
https://github.com/rnmods/react-native-document-picker/
[Affected Product Code Base]
react-native-document-picker android library - react-native-document-picker library for android:<9.1.1 version, fixed in 9.1.1
[Affected Component]
Android library (exact file: https://github.com/rnmods/react-native-document-picker/blob/0be5a70c3b456e35c2454aaf4dc8c2d40eb2ab47/android/src/main/java/com/reactnativedocumentpicker/RNDocumentPickerModule.java)
[Attack Type]
Local
[Impact Code execution]
true
[Impact Escalation of Privileges]
true
[Attack Vectors]
To exploit this vulnerability, user must choose malicious configured application while picking a file
[Has vendor confirmed or acknowledged the vulnerability?]
true
[Reference]
http://react-native-document-picker.com
https://github.com/rnmods/react-native-document-picker/
https://github.com/rnmods/react-native-document-picker/blob/0be5a70c3b456e35c2454aaf4dc8c2d40eb2ab47/android/src/main/java/com/reactnativedocumentpicker/RNDocumentPickerModule.java
[CVSSv3]
CVSS v3: (AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H): 7.3