CVE-2019-17191 - OpenCVE

The Signal Private Messenger application before 4.47.7 for Android allows a caller to force a call to be answered, without callee user interaction, via a connect message. The existence of the call is noticeable to the callee; however, the audio channel may be open before the callee can block eavesdropping.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Signal	Private Messenger

Configuration 1 [-]

cpe:2.3:a:signal:private_messenger:*:*:*:*:*:android:*:*

References

Link	Resource
https://bugs.chromium.org/p/project-zero/issues/detail?id=1943	Exploit Third Party Advisory
https://news.ycombinator.com/item?id=21161432	Exploit Issue Tracking Third Party Advisory
https://twitter.com/moxie/status/1180261210341511168	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2019-10-05T01:15:51

Updated: 2019-10-05T01:15:51

Reserved: 2019-10-05T00:00:00

Link: CVE-2019-17191

JSON object: View

NVD Information

Status : Analyzed

Published: 2019-10-05T02:15:11.300

Modified: 2021-07-21T11:39:23.747

Link: CVE-2019-17191

JSON object: View

Redhat Information

No data.

CWE

CWE-863

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "The Signal Private Messenger application before 4.47.7 for Android allows a caller to force a call to be answered, without callee user interaction, via a connect message. The existence of the call is noticeable to the callee; however, the audio channel may be open before the callee can block eavesdropping."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-10-05T01:15:51", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://news.ycombinator.com/item?id=21161432"}, {"tags": ["x_refsource_MISC"], "url": "https://twitter.com/moxie/status/1180261210341511168"}, {"tags": ["x_refsource_MISC"], "url": "https://bugs.chromium.org/p/project-zero/issues/detail?id=1943"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-17191", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Signal Private Messenger application before 4.47.7 for Android allows a caller to force a call to be answered, without callee user interaction, via a connect message. The existence of the call is noticeable to the callee; however, the audio channel may be open before the callee can block eavesdropping."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://news.ycombinator.com/item?id=21161432", "refsource": "MISC", "url": "https://news.ycombinator.com/item?id=21161432"}, {"name": "https://twitter.com/moxie/status/1180261210341511168", "refsource": "MISC", "url": "https://twitter.com/moxie/status/1180261210341511168"}, {"name": "https://bugs.chromium.org/p/project-zero/issues/detail?id=1943", "refsource": "MISC", "url": "https://bugs.chromium.org/p/project-zero/issues/detail?id=1943"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-17191", "datePublished": "2019-10-05T01:15:51", "dateReserved": "2019-10-05T00:00:00", "dateUpdated": "2019-10-05T01:15:51", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:signal:private_messenger:*:*:*:*:*:android:*:*", "matchCriteriaId": "843D1ABD-4EB8-4BAF-987D-6A51D11C2C10", "versionEndExcluding": "4.47.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Signal Private Messenger application before 4.47.7 for Android allows a caller to force a call to be answered, without callee user interaction, via a connect message. The existence of the call is noticeable to the callee; however, the audio channel may be open before the callee can block eavesdropping."}, {"lang": "es", "value": "La aplicaci\u00f3n Signal Private Messenger versiones anteriores a 4.47.7 para Android, permite a la persona que llama forzar una llamada para ser respondida, sin interacci\u00f3n del usuario llamado, por medio de un mensaje de conexi\u00f3n. La existencia de la llamada es notable para la persona que llama; sin embargo, el canal de audio puede estar abierto antes de que la persona que llama pueda bloquear las escuchas."}], "id": "CVE-2019-17191", "lastModified": "2021-07-21T11:39:23.747", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-10-05T02:15:11.300", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://bugs.chromium.org/p/project-zero/issues/detail?id=1943"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://news.ycombinator.com/item?id=21161432"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://twitter.com/moxie/status/1180261210341511168"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Primary"}]}