Headline
CVE-2021-41166: Merge pull request from GHSA-wff9-w6wc-h67g · nextcloud/android@aa47197
The Nextcloud Android app is the Android client for Nextcloud, a self-hosted productivity platform. An issue in versions prior to 3.17.1 may lead to sensitive information disclosure. An unauthorized app that does not have the otherwise required MANAGE_DOCUMENTS permission may view image thumbnails for images it does not have permission to view. Version 3.17.1 contains a patch. There are no known workarounds.
Permalink
Browse files
Merge pull request from GHSA-wff9-w6wc-h67g
Fix GHSL-2021-1008 by using permission instead of readPermission
- Loading branch information
2 parents 8857ea7 + b6ecf51 commit aa47197109970b8449c4e44601eba36e3481b086
Showing with 3 additions and 2 deletions.
- +3 −2 src/main/AndroidManifest.xml
@@ -306,9 +306,10 @@
<provider
android:name=".providers.DiskLruImageCacheFileProvider"
android:authorities="@string/image_cache_provider_authority"
android:exported="true"
android:grantUriPermissions="true"
android:readPermission="android.permission.MANAGE_DOCUMENTS" />
android:permission="android.permission.MANAGE_DOCUMENTS"
android:exported="true">
</provider>
<!-- Disable WorkManager initialization. Whoever designed this, should pay closer attention -->
<!-- to “best before” dates in his fridge. -->
0 comments on commit aa47197
Please sign in to comment.