Arbitrary File Read in Tasks.org Android app [CVE-2022-39349]

We discussed this vulnerability during Episode 165 on 07 November 2022

Funny bug in Task.org, which is an open source reminder and todo list tracking app. The vulnerability is lack of path validation in the ShareLinkActivity’s share intent. The activity will accept arbitrary paths intended as “attachment files”, which will copy the file into the app’s external storage directory. An attacker can provide a path to Task.org internal storage files (such as the user local database or preference files) and copy them to the publicly accessible external storage. It’s possible the database can contain credentials for CalDAV integration if it’s enabled, though passwords are encrypted, mitigating the impact.