CVE-2019-16248 (GCVE-0-2019-16248)

Vulnerability from cvelistv5 – Published: 2019-09-11 22:19 – Updated: 2024-08-05 01:10
VLAI?
Summary
The "delete for" feature in Telegram before 5.11 on Android does not delete shared media files from the Telegram Images directory. In other words, there is a potentially misleading UI indication that a sender can remove a recipient's copy of a previously sent image (analogous to supported functionality in which a sender can remove a recipient's copy of a previously sent message).
Severity ?
No CVSS data available.
CWE
  • n/a
Assigner
References
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T01:10:41.671Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.inputzero.io/2019/09/telegram-privacy-fails-again.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/RootUp/PersonalStuff/blob/master/Telegram_Privacy.pdf"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.openwall.com/lists/oss-security/2019/09/09/2"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The \"delete for\" feature in Telegram before 5.11 on Android does not delete shared media files from the Telegram Images directory. In other words, there is a potentially misleading UI indication that a sender can remove a recipient\u0027s copy of a previously sent image (analogous to supported functionality in which a sender can remove a recipient\u0027s copy of a previously sent message)."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-09-11T22:19:49",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.inputzero.io/2019/09/telegram-privacy-fails-again.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/RootUp/PersonalStuff/blob/master/Telegram_Privacy.pdf"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.openwall.com/lists/oss-security/2019/09/09/2"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2019-16248",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The \"delete for\" feature in Telegram before 5.11 on Android does not delete shared media files from the Telegram Images directory. In other words, there is a potentially misleading UI indication that a sender can remove a recipient\u0027s copy of a previously sent image (analogous to supported functionality in which a sender can remove a recipient\u0027s copy of a previously sent message)."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.inputzero.io/2019/09/telegram-privacy-fails-again.html",
              "refsource": "MISC",
              "url": "https://www.inputzero.io/2019/09/telegram-privacy-fails-again.html"
            },
            {
              "name": "https://github.com/RootUp/PersonalStuff/blob/master/Telegram_Privacy.pdf",
              "refsource": "MISC",
              "url": "https://github.com/RootUp/PersonalStuff/blob/master/Telegram_Privacy.pdf"
            },
            {
              "name": "https://www.openwall.com/lists/oss-security/2019/09/09/2",
              "refsource": "MISC",
              "url": "https://www.openwall.com/lists/oss-security/2019/09/09/2"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2019-16248",
    "datePublished": "2019-09-11T22:19:49",
    "dateReserved": "2019-09-11T00:00:00",
    "dateUpdated": "2024-08-05T01:10:41.671Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:telegram:telegram:*:*:*:*:*:android:*:*\", \"versionEndExcluding\": \"5.11.0\", \"matchCriteriaId\": \"FDF1836C-1773-4563-831F-260EDF6BF2AF\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"The \\\"delete for\\\" feature in Telegram before 5.11 on Android does not delete shared media files from the Telegram Images directory. In other words, there is a potentially misleading UI indication that a sender can remove a recipient\u0027s copy of a previously sent image (analogous to supported functionality in which a sender can remove a recipient\u0027s copy of a previously sent message).\"}, {\"lang\": \"es\", \"value\": \"La funcionalidad \\\"delete for\\\" en Telegram versiones anteriores a 5.11 en Android no elimina los archivos multimedia compartidos desde el directorio de Im\\u00e1genes de Telegram. En otras palabras, existe una indicaci\\u00f3n de la IU potencialmente enga\\u00f1osa de que un remitente puede eliminar la copia de un destinatario de una imagen enviada previamente (an\\u00e1loga a la funcionalidad compatible en la que un remitente puede suprimir la copia de un destinatario de un mensaje enviado previamente).\"}]",
      "id": "CVE-2019-16248",
      "lastModified": "2024-11-21T04:30:22.957",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\", \"baseScore\": 5.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 3.6}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:L/AC:L/Au:N/C:P/I:N/A:N\", \"baseScore\": 2.1, \"accessVector\": \"LOCAL\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"LOW\", \"exploitabilityScore\": 3.9, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2019-09-11T23:15:14.313",
      "references": "[{\"url\": \"https://github.com/RootUp/PersonalStuff/blob/master/Telegram_Privacy.pdf\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.inputzero.io/2019/09/telegram-privacy-fails-again.html\", \"source\": \"cve@mitre.org\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://www.openwall.com/lists/oss-security/2019/09/09/2\", \"source\": \"cve@mitre.org\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/RootUp/PersonalStuff/blob/master/Telegram_Privacy.pdf\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.inputzero.io/2019/09/telegram-privacy-fails-again.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://www.openwall.com/lists/oss-security/2019/09/09/2\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}]",
      "sourceIdentifier": "cve@mitre.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-noinfo\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2019-16248\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2019-09-11T23:15:14.313\",\"lastModified\":\"2024-11-21T04:30:22.957\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The \\\"delete for\\\" feature in Telegram before 5.11 on Android does not delete shared media files from the Telegram Images directory. In other words, there is a potentially misleading UI indication that a sender can remove a recipient\u0027s copy of a previously sent image (analogous to supported functionality in which a sender can remove a recipient\u0027s copy of a previously sent message).\"},{\"lang\":\"es\",\"value\":\"La funcionalidad \\\"delete for\\\" en Telegram versiones anteriores a 5.11 en Android no elimina los archivos multimedia compartidos desde el directorio de Im\u00e1genes de Telegram. En otras palabras, existe una indicaci\u00f3n de la IU potencialmente enga\u00f1osa de que un remitente puede eliminar la copia de un destinatario de una imagen enviada previamente (an\u00e1loga a la funcionalidad compatible en la que un remitente puede suprimir la copia de un destinatario de un mensaje enviado previamente).\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:L/AC:L/Au:N/C:P/I:N/A:N\",\"baseScore\":2.1,\"accessVector\":\"LOCAL\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"LOW\",\"exploitabilityScore\":3.9,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:telegram:telegram:*:*:*:*:*:android:*:*\",\"versionEndExcluding\":\"5.11.0\",\"matchCriteriaId\":\"FDF1836C-1773-4563-831F-260EDF6BF2AF\"}]}]}],\"references\":[{\"url\":\"https://github.com/RootUp/PersonalStuff/blob/master/Telegram_Privacy.pdf\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.inputzero.io/2019/09/telegram-privacy-fails-again.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://www.openwall.com/lists/oss-security/2019/09/09/2\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/RootUp/PersonalStuff/blob/master/Telegram_Privacy.pdf\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.inputzero.io/2019/09/telegram-privacy-fails-again.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://www.openwall.com/lists/oss-security/2019/09/09/2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.