CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-2045: Session 1.17.5 - LFR via chat attachment

5.5 CVSS

Description

Session version 1.17.5 allows obtaining internal application files and public

files from the user's device without the user's consent. This is possible

because the application is vulnerable to Local File Read via chat attachments.

Classification

CVE ID: CVE-2024-2045

CVSS Base Severity: MEDIUM

CVSS Base Score: 5.5

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Problem Types

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Affected Products

Vendor: Session

Product: Session

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.07% (probability of being exploited)

EPSS Percentile: 21.63% (scored less or equal to compared to others)

EPSS Date: 2025-06-17 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: poc

SSVC Technical Impact: partial

SSVC Automatable: false

References

https://nvd.nist.gov/vuln/detail/CVE-2024-2045
https://fluidattacks.com/advisories/newman/
https://github.com/oxen-io/session-android/

Timeline