According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is information disclosure? The attack itself is carried out locally. For example, when the score indicates that the Attack Vector is Local (AV:L) and User Interaction is Required (UI:R), this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and run a malicious application. This could lead to a local attack on the user's device which could leak data. How do I get the update for OneDrive for Android? Tap the Google Play icon on your home screen. Swipe in from the left edge of the screen. Tap My apps & games. Tap the Update box next to the OneDrive app. Is there a direct link on the web? Yes: https://play.google.com/store/apps/details?id=com.microsoft.skydrive&hl=en_US According to the CVSS metric, successful exploitation of this vulnerability could lead to total loss of confidentiality (C:H)? What does that mean for this vulnerability? This vulnerability could disclose Android/local URIs, to which OneDrive has been granted access, to the attacker.
Martin Kibuchi