Path traversal vulnerability in content provider versions 2.3.3 – 2.8.0

We found a path traversal vulnerability in DocumentSharingProvider. This affects Nutrient Android SDK versions 2.3.3 – 2.8.0. It is strongly recommended you update to version 2.9.0 to avoid it.

Issue

DocumentSharingProvider is required for the PDF document sharing functionality inside the Nutrient PDF framework. The sharing flow saves a processed document into the pspdfkit/sharing subdirectory of the application’s private cache directory. DocumentSharingProvider then exposes that sharing directory to the receiving application with a content URI (typically content://application.package.name.pdf.share/document.pdf). Due to bugs in certain Samsung firmware, the provider must be exported, even if grantUriPermissions is set to true. We have found there are means to create the content URI in a way that exposes other private application files outside the cache/pspdfkit/sharing directory.

Mitigation

To mitigate the issue on older versions of Nutrient, DocumentSharingProvider should be unexported. This will prevent other applications from accessing it. Add an entry to your AndroidManifest.xml for DocumentSharingProvider and set android:exported to false. As a side effect, it may break sharing functionality on some versions of Samsung firmware:

<provider
            android:name="com.pspdfkit.document.sharing.DocumentSharingProvider"
            android:authorities="${applicationId}.pdf.share"
            android:exported="false"
            android:grantUriPermissions="true" />

Fix

The fix was committed on 12 January 2016 (ticket number #9136) and was released as part of Nutrient Android SDK 2.9.0.