PT-2024-03: Vulnerability of reading internal application files in OpenKeychain Vendor: OpenKeychainProduct: OpenKeychainVulnerable version: 5.8.2 (58902)Vulnerability type:- CWE-200: Exposure of Sensitive Information to an Unauthorized ActorIdentifier (ID): BDU:2024-03056Vulnerability vector:- Base vulnerability score (CVSSv3.1): CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N- Severity (CVSSv3.1): 4.6 (medium)- Base vulnerability score (CVSSv4.0): CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N- Severity (CVSSv4.0): 5.1 (meduim)Description:The vulnerability was identified in OpeKeychain v.5.8.2 (58902). It allows a potential attacker to read any files available to an application (including from the application sandbox) and save files to external storage. The vulnerability is caused by insufficient filtering of input parameters.Vulnerability status: Confirmed by vendorDate of vulnerability detection: 19.07.2023Recommendations: Update to version >6.Additional information: -Researcher: Artem Kulakov (Positive Technologies)