CVE-2024-2045 is a medium-severity vulnerability classified under CWE-22, which pertains to improper limitation of a pathname to a restricted directory, commonly known as a path traversal vulnerability. This specific vulnerability affects Session version 1.17.5, an application used for secure messaging. The flaw allows an attacker to exploit the application's handling of chat attachments to perform a Local File Read attack. By leveraging this vulnerability, an attacker can access internal application files and public files stored on the user's device without their consent. The vulnerability arises because the application fails to properly sanitize or restrict file path inputs, enabling traversal outside the intended directories. The CVSS 3.1 score is 5.5, indicating a medium severity level, with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. This means the attack requires local access (AV:L), low attack complexity (AC:L), no privileges (PR:N), but does require user interaction (UI:R). The impact is primarily on confidentiality, as the attacker can read sensitive files, but does not affect integrity or availability. There are no known exploits in the wild at this time, and no patches have been linked yet. The vulnerability was published on February 29, 2024, and has been enriched by CISA, indicating recognition by US cybersecurity authorities. Overall, this vulnerability poses a risk of unauthorized data disclosure through local exploitation via chat attachments in the Session app version 1.17.5.

For European organizations, the impact of CVE-2024-2045 can be significant, especially for entities relying on the Session application for secure communications. The ability to read internal and public files on user devices without consent threatens the confidentiality of sensitive corporate data, intellectual property, and personal information. This could lead to data breaches, regulatory non-compliance (e.g., GDPR violations), and erosion of trust in secure communication tools. Since the attack requires local access and user interaction, the risk is higher in environments where devices are shared, or users may be tricked into opening malicious chat attachments. The vulnerability could be exploited by insiders or through social engineering campaigns targeting employees. Although the vulnerability does not affect integrity or availability, the unauthorized disclosure of files could facilitate further attacks or espionage. Organizations handling sensitive information, such as financial institutions, healthcare providers, and government agencies, are particularly at risk. The lack of a patch increases the urgency for mitigation measures to prevent exploitation.

To mitigate CVE-2024-2045, European organizations should implement the following specific measures: 1) Immediately restrict the use of Session version 1.17.5 within the organization until a patched version is released. 2) Educate users about the risks of opening chat attachments from untrusted or unknown sources, emphasizing the potential for local file disclosure. 3) Employ endpoint security solutions that monitor and restrict unauthorized file access attempts, especially those initiated by messaging applications. 4) Use application whitelisting and sandboxing techniques to limit the Session app's file system access to only necessary directories. 5) Monitor logs and user activity for suspicious behavior indicative of exploitation attempts, such as unusual file access patterns. 6) Coordinate with the Session vendor to obtain updates or patches and apply them promptly once available. 7) Consider deploying Data Loss Prevention (DLP) tools to detect and block unauthorized exfiltration of sensitive files. 8) Implement strict device usage policies to minimize local attack vectors, including restricting physical access to devices and enforcing strong authentication. These targeted actions go beyond generic advice by focusing on controlling local access and user behavior related to the vulnerable application.