CVE-2019-3566 (GCVE-0-2019-3566)

Vulnerability from cvelistv5 – Published: 2019-05-10 20:58 – Updated: 2024-08-04 19:12
VLAI?
Summary
A bug in WhatsApp for Android's messaging logic would potentially allow a malicious individual who has taken over over a WhatsApp user's account to recover previously sent messages. This behavior requires independent knowledge of metadata for previous messages, which are not available publicly. This issue affects WhatsApp for Android 2.19.52 and 2.19.54 - 2.19.103, as well as WhatsApp Business for Android starting in v2.19.22 until v2.19.38.
Severity ?
No CVSS data available.
CWE
  • CWE-284 - Improper Access Control (CWE-284)
Assigner
References
Impacted products
Vendor Product Version
Facebook WhatsApp for Android Affected: 2.19.104
Affected: 2.19.54 , < unspecified (custom)
Affected: 2.19.52
Create a notification for this product.
    Facebook WhatsApp Business for Android Affected: 2.19.38
Affected: 2.19.22 , < unspecified (custom)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T19:12:09.532Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.facebook.com/security/advisories/cve-2019-3566"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "WhatsApp for Android",
          "vendor": "Facebook",
          "versions": [
            {
              "status": "affected",
              "version": "2.19.104"
            },
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "2.19.54",
              "versionType": "custom"
            },
            {
              "status": "affected",
              "version": "2.19.52"
            }
          ]
        },
        {
          "product": "WhatsApp Business for Android",
          "vendor": "Facebook",
          "versions": [
            {
              "status": "affected",
              "version": "2.19.38"
            },
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "2.19.22",
              "versionType": "custom"
            }
          ]
        }
      ],
      "dateAssigned": "2019-05-09T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A bug in WhatsApp for Android\u0027s messaging logic would potentially allow a malicious individual who has taken over over a WhatsApp user\u0027s account to recover previously sent messages. This behavior requires independent knowledge of metadata for previous messages, which are not available publicly. This issue affects WhatsApp for Android 2.19.52 and 2.19.54 - 2.19.103, as well as WhatsApp Business for Android starting in v2.19.22 until v2.19.38."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "Improper Access Control (CWE-284)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-05-15T15:48:59",
        "orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
        "shortName": "facebook"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.facebook.com/security/advisories/cve-2019-3566"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve-assign@fb.com",
          "DATE_ASSIGNED": "2019-05-09",
          "ID": "CVE-2019-3566",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "WhatsApp for Android",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "!=\u003e",
                            "version_value": "2.19.104"
                          },
                          {
                            "version_affected": "\u003e=",
                            "version_value": "2.19.54"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "2.19.52"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "WhatsApp Business for Android",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "!=\u003e",
                            "version_value": "2.19.38"
                          },
                          {
                            "version_affected": "\u003e=",
                            "version_value": "2.19.22"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Facebook"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A bug in WhatsApp for Android\u0027s messaging logic would potentially allow a malicious individual who has taken over over a WhatsApp user\u0027s account to recover previously sent messages. This behavior requires independent knowledge of metadata for previous messages, which are not available publicly. This issue affects WhatsApp for Android 2.19.52 and 2.19.54 - 2.19.103, as well as WhatsApp Business for Android starting in v2.19.22 until v2.19.38."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Improper Access Control (CWE-284)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.facebook.com/security/advisories/cve-2019-3566",
              "refsource": "MISC",
              "url": "https://www.facebook.com/security/advisories/cve-2019-3566"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
    "assignerShortName": "facebook",
    "cveId": "CVE-2019-3566",
    "datePublished": "2019-05-10T20:58:02",
    "dateReserved": "2019-01-02T00:00:00",
    "dateUpdated": "2024-08-04T19:12:09.532Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:whatsapp:whatsapp:*:*:*:*:*:android:*:*\", \"versionStartIncluding\": \"2.19.54\", \"versionEndIncluding\": \"2.19.103\", \"matchCriteriaId\": \"F990E9CA-6D62-4804-8E0C-DAC9AD7DA3DE\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:whatsapp:whatsapp:2.19.52:*:*:*:*:android:*:*\", \"matchCriteriaId\": \"C3AF6D26-D194-4F97-90A6-3A84ACFE6E20\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:whatsapp:whatsapp_business:*:*:*:*:*:android:*:*\", \"versionStartIncluding\": \"2.19.22\", \"versionEndIncluding\": \"2.19.38\", \"matchCriteriaId\": \"D86A653D-F50C-409D-82C9-2342EEFB0F29\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"A bug in WhatsApp for Android\u0027s messaging logic would potentially allow a malicious individual who has taken over over a WhatsApp user\u0027s account to recover previously sent messages. This behavior requires independent knowledge of metadata for previous messages, which are not available publicly. This issue affects WhatsApp for Android 2.19.52 and 2.19.54 - 2.19.103, as well as WhatsApp Business for Android starting in v2.19.22 until v2.19.38.\"}, {\"lang\": \"es\", \"value\": \"Se descubri\\u00f3 un error en la l\\u00f3gica de mensajer\\u00eda de WhatsApp para Android que permitir\\u00eda potencialmente que un individuo malicioso que se haya encargado de la cuenta de un usuario de WhatsApp recupere los mensajes enviados anteriormente. Este comportamiento requiere un conocimiento independiente de los metadatos para los mensajes anteriores, que no est\\u00e1n disponibles p\\u00fablicamente. Este problema afecta a WhatsApp para Android versi\\u00f3n 2.19.52 y  versi\\u00f3n 2.19.54 - 2.19.103, as\\u00ed como a WhatsApp Business para Android comenzando en la versi\\u00f3n v2.19.22 hasta v2.19.38.\"}]",
      "id": "CVE-2019-3566",
      "lastModified": "2024-11-21T04:42:10.717",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"baseScore\": 5.9, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.2, \"impactScore\": 3.6}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:P/I:N/A:N\", \"baseScore\": 4.3, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2019-05-10T21:29:00.303",
      "references": "[{\"url\": \"https://www.facebook.com/security/advisories/cve-2019-3566\", \"source\": \"cve-assign@fb.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.facebook.com/security/advisories/cve-2019-3566\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
      "sourceIdentifier": "cve-assign@fb.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"cve-assign@fb.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-284\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-noinfo\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2019-3566\",\"sourceIdentifier\":\"cve-assign@fb.com\",\"published\":\"2019-05-10T21:29:00.303\",\"lastModified\":\"2024-11-21T04:42:10.717\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A bug in WhatsApp for Android\u0027s messaging logic would potentially allow a malicious individual who has taken over over a WhatsApp user\u0027s account to recover previously sent messages. This behavior requires independent knowledge of metadata for previous messages, which are not available publicly. This issue affects WhatsApp for Android 2.19.52 and 2.19.54 - 2.19.103, as well as WhatsApp Business for Android starting in v2.19.22 until v2.19.38.\"},{\"lang\":\"es\",\"value\":\"Se descubri\u00f3 un error en la l\u00f3gica de mensajer\u00eda de WhatsApp para Android que permitir\u00eda potencialmente que un individuo malicioso que se haya encargado de la cuenta de un usuario de WhatsApp recupere los mensajes enviados anteriormente. Este comportamiento requiere un conocimiento independiente de los metadatos para los mensajes anteriores, que no est\u00e1n disponibles p\u00fablicamente. Este problema afecta a WhatsApp para Android versi\u00f3n 2.19.52 y  versi\u00f3n 2.19.54 - 2.19.103, as\u00ed como a WhatsApp Business para Android comenzando en la versi\u00f3n v2.19.22 hasta v2.19.38.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":5.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:N/A:N\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"cve-assign@fb.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-284\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:whatsapp:whatsapp:*:*:*:*:*:android:*:*\",\"versionStartIncluding\":\"2.19.54\",\"versionEndIncluding\":\"2.19.103\",\"matchCriteriaId\":\"F990E9CA-6D62-4804-8E0C-DAC9AD7DA3DE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:whatsapp:whatsapp:2.19.52:*:*:*:*:android:*:*\",\"matchCriteriaId\":\"C3AF6D26-D194-4F97-90A6-3A84ACFE6E20\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:whatsapp:whatsapp_business:*:*:*:*:*:android:*:*\",\"versionStartIncluding\":\"2.19.22\",\"versionEndIncluding\":\"2.19.38\",\"matchCriteriaId\":\"D86A653D-F50C-409D-82C9-2342EEFB0F29\"}]}]}],\"references\":[{\"url\":\"https://www.facebook.com/security/advisories/cve-2019-3566\",\"source\":\"cve-assign@fb.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.facebook.com/security/advisories/cve-2019-3566\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.