CVE-2022-39349 is a vulnerability identified in the Tasks.org Android application, an open-source to-do list and reminder app. The flaw resides in the handling of "share" intents within the app's ShareLinkActivity.kt component. This activity processes incoming intents from other applications on the same device, which may include file attachments specified by arbitrary file paths. Prior to versions 12.7.1 and 13.0.1, the application failed to validate these file paths properly. Consequently, a malicious or compromised app installed on the same Android device could exploit this by crafting intents that reference files located in the internal storage of the Tasks.org app. When processed, Tasks.org would copy these files to its external storage directory, which is accessible to any app with permission to read external storage. This unintended proxy behavior, classified under CWE-441 (Unintended Proxy or Intermediary, aka Confused Deputy) and CWE-668 (Exposure of Resource to Wrong Sphere), effectively allows unauthorized disclosure of sensitive user data. The exposed data could include user notes, app preferences, and critically, encrypted credentials used for CalDav integrations if enabled. The vulnerability does not require user interaction beyond the presence of a malicious app on the device and does not require authentication beyond app installation. The issue was remediated in Tasks.org versions 12.7.1 and 13.0.1 by implementing proper validation of file paths in the share intent handler. No known exploits have been reported in the wild, and no workarounds exist outside of updating the app to a fixed version.

For European organizations, especially those with employees or users relying on Tasks.org for task management and calendar synchronization via CalDav, this vulnerability poses a significant risk to confidentiality. Sensitive business information, personal notes, and encrypted credentials could be exposed to other applications on the same device if a malicious app is installed. This could lead to unauthorized access to corporate calendars, task data, and potentially broader network access if credentials are reused or decrypted. The integrity and availability of data are less directly impacted; however, the confidentiality breach could facilitate further attacks such as social engineering or lateral movement within corporate environments. Given the widespread use of Android devices in European enterprises and among remote workers, the risk is non-trivial. The vulnerability's exploitation requires a malicious app to be installed on the device, which may be mitigated by organizational controls on app installation. However, in environments with Bring Your Own Device (BYOD) policies or less stringent mobile device management, the threat is more pronounced. The exposure of encrypted credentials, even if encrypted, raises concerns about potential offline decryption attempts or credential reuse attacks.

1. Immediate update of the Tasks.org app to version 12.7.1 or 13.0.1 or later to ensure the vulnerability is patched. 2. Enforce strict mobile device management (MDM) policies to control app installations, restricting installation of untrusted or unknown applications that could exploit this vulnerability. 3. Educate users about the risks of installing apps from unofficial sources and the importance of keeping apps updated. 4. Where possible, disable or limit CalDav integration within the app if not essential, reducing the risk exposure of encrypted credentials. 5. Monitor device storage permissions and audit apps with access to external storage to detect potentially malicious behavior. 6. Implement endpoint detection and response (EDR) solutions capable of identifying suspicious inter-app communication or unauthorized file access on Android devices. 7. For organizations with BYOD policies, consider containerization or sandboxing solutions to isolate corporate apps and data from personal apps, minimizing cross-app exploitation risks.