CVE-2024-37403 in Docs@Workinfo

Summary

by MITRE • 08/07/2024

Ivanti Docs@Work for Android, before 2.26.0 is affected by the 'Dirty Stream' vulnerability. The application fails to properly sanitize file names, resulting in a path traversal-affiliated vulnerability. This potentially enables other malicious apps on the device to read sensitive information stored in the app root.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 03/15/2025

The Dirty Stream vulnerability in Ivanti Docs@Work for Android represents a critical path traversal flaw that undermines the application's security model and exposes sensitive data to unauthorized access. This vulnerability affects versions prior to 2.26.0 and stems from inadequate input validation within the file handling mechanisms of the mobile application. The flaw specifically manifests when the application processes file names without proper sanitization, creating opportunities for attackers to manipulate file paths and access restricted directories.

The technical implementation of this vulnerability allows malicious applications on the same device to exploit the improper file name handling by crafting specially formatted file paths that traverse beyond the intended application directory structure. This path traversal capability enables attackers to access files stored within the app's root directory, potentially exposing sensitive information such as user credentials, personal documents, or confidential business data. The vulnerability operates at the file system level, leveraging the Android application sandboxing mechanisms that should normally isolate app data from other applications.

From an operational perspective, this vulnerability creates significant risk for organizations that rely on Ivanti Docs@Work for Android as a document management solution. The attack surface extends beyond individual device compromise to potential data breaches involving sensitive corporate or personal information. The vulnerability's impact is amplified by the fact that it requires no special privileges or user interaction from the victim, making it particularly dangerous as it can be exploited by any application installed on the device. Security researchers have classified this issue as a path traversal vulnerability, which aligns with CWE-22, representing the weakness where an application allows access to files or directories that are outside of its intended scope.

The exploitation of this vulnerability typically involves crafting file paths that include directory traversal sequences such as ../ or ..\ to navigate up the directory tree from the application's root directory. This allows attackers to access files that should normally be restricted to the application's private storage area. The attack vector is particularly concerning in enterprise environments where mobile device management policies may not fully address such application-level vulnerabilities. Organizations using this application should consider the implications for their overall security posture, as this vulnerability could potentially serve as a stepping stone for more sophisticated attacks.

Mitigation strategies for this vulnerability should focus on immediate remediation through the application update to version 2.26.0 or later, which includes proper file name sanitization and path validation mechanisms. System administrators should also implement mobile device management policies that restrict the installation of untrusted applications and monitor for suspicious file access patterns. Additionally, organizations should conduct comprehensive security assessments of their mobile application environments to identify similar vulnerabilities in other applications that may be susceptible to path traversal attacks. The ATT&CK framework categorizes this type of vulnerability under privilege escalation and defense evasion techniques, highlighting the need for layered security approaches that address both application-level and device-level security controls.

Responsible

Hackerone

Reservation

06/08/2024

Disclosure

08/07/2024

Moderation

accepted

CPE

ready

EPSS

0.00459

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!