CVE-2019-3566 - OpenCVE

A bug in WhatsApp for Android's messaging logic would potentially allow a malicious individual who has taken over over a WhatsApp user's account to recover previously sent messages. This behavior requires independent knowledge of metadata for previous messages, which are not available publicly. This issue affects WhatsApp for Android 2.19.52 and 2.19.54 - 2.19.103, as well as WhatsApp Business for Android starting in v2.19.22 until v2.19.38.

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Whatsapp	Whatsapp Business Whatsapp

Configuration 1 [-]

OR	cpe:2.3:a:whatsapp:whatsapp::::::android::*
	cpe:2.3:a:whatsapp:whatsapp:2.19.52:::::android::
	cpe:2.3:a:whatsapp:whatsapp_business::::::android::*

References

Link	Resource
https://www.facebook.com/security/advisories/cve-2019-3566	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: facebook

Published: 2019-05-10T20:58:02

Updated: 2019-05-15T15:48:59

Reserved: 2019-01-02T00:00:00

Link: CVE-2019-3566

JSON object: View

NVD Information

Status : Analyzed

Published: 2019-05-10T21:29:00.303

Modified: 2021-09-14T12:15:52.360

Link: CVE-2019-3566

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "WhatsApp for Android", "vendor": "Facebook", "versions": [{"status": "affected", "version": "2.19.104"}, {"lessThan": "unspecified", "status": "affected", "version": "2.19.54", "versionType": "custom"}, {"status": "affected", "version": "2.19.52"}]}, {"product": "WhatsApp Business for Android", "vendor": "Facebook", "versions": [{"status": "affected", "version": "2.19.38"}, {"lessThan": "unspecified", "status": "affected", "version": "2.19.22", "versionType": "custom"}]}], "dateAssigned": "2019-05-09T00:00:00", "descriptions": [{"lang": "en", "value": "A bug in WhatsApp for Android's messaging logic would potentially allow a malicious individual who has taken over over a WhatsApp user's account to recover previously sent messages. This behavior requires independent knowledge of metadata for previous messages, which are not available publicly. This issue affects WhatsApp for Android 2.19.52 and 2.19.54 - 2.19.103, as well as WhatsApp Business for Android starting in v2.19.22 until v2.19.38."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "description": "Improper Access Control (CWE-284)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2019-05-15T15:48:59", "orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827", "shortName": "facebook"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.facebook.com/security/advisories/cve-2019-3566"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve-assign@fb.com", "DATE_ASSIGNED": "2019-05-09", "ID": "CVE-2019-3566", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "WhatsApp for Android", "version": {"version_data": [{"version_affected": "!=>", "version_value": "2.19.104"}, {"version_affected": ">=", "version_value": "2.19.54"}, {"version_affected": "=", "version_value": "2.19.52"}]}}, {"product_name": "WhatsApp Business for Android", "version": {"version_data": [{"version_affected": "!=>", "version_value": "2.19.38"}, {"version_affected": ">=", "version_value": "2.19.22"}]}}]}, "vendor_name": "Facebook"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A bug in WhatsApp for Android's messaging logic would potentially allow a malicious individual who has taken over over a WhatsApp user's account to recover previously sent messages. This behavior requires independent knowledge of metadata for previous messages, which are not available publicly. This issue affects WhatsApp for Android 2.19.52 and 2.19.54 - 2.19.103, as well as WhatsApp Business for Android starting in v2.19.22 until v2.19.38."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Improper Access Control (CWE-284)"}]}]}, "references": {"reference_data": [{"name": "https://www.facebook.com/security/advisories/cve-2019-3566", "refsource": "MISC", "url": "https://www.facebook.com/security/advisories/cve-2019-3566"}]}}}}, "cveMetadata": {"assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827", "assignerShortName": "facebook", "cveId": "CVE-2019-3566", "datePublished": "2019-05-10T20:58:02", "dateReserved": "2019-01-02T00:00:00", "dateUpdated": "2019-05-15T15:48:59", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:whatsapp:whatsapp:*:*:*:*:*:android:*:*", "matchCriteriaId": "F990E9CA-6D62-4804-8E0C-DAC9AD7DA3DE", "versionEndIncluding": "2.19.103", "versionStartIncluding": "2.19.54", "vulnerable": true}, {"criteria": "cpe:2.3:a:whatsapp:whatsapp:2.19.52:*:*:*:*:android:*:*", "matchCriteriaId": "C3AF6D26-D194-4F97-90A6-3A84ACFE6E20", "vulnerable": true}, {"criteria": "cpe:2.3:a:whatsapp:whatsapp_business:*:*:*:*:*:android:*:*", "matchCriteriaId": "D86A653D-F50C-409D-82C9-2342EEFB0F29", "versionEndIncluding": "2.19.38", "versionStartIncluding": "2.19.22", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A bug in WhatsApp for Android's messaging logic would potentially allow a malicious individual who has taken over over a WhatsApp user's account to recover previously sent messages. This behavior requires independent knowledge of metadata for previous messages, which are not available publicly. This issue affects WhatsApp for Android 2.19.52 and 2.19.54 - 2.19.103, as well as WhatsApp Business for Android starting in v2.19.22 until v2.19.38."}, {"lang": "es", "value": "Se descubri\u00f3 un error en la l\u00f3gica de mensajer\u00eda de WhatsApp para Android que permitir\u00eda potencialmente que un individuo malicioso que se haya encargado de la cuenta de un usuario de WhatsApp recupere los mensajes enviados anteriormente. Este comportamiento requiere un conocimiento independiente de los metadatos para los mensajes anteriores, que no est\u00e1n disponibles p\u00fablicamente. Este problema afecta a WhatsApp para Android versi\u00f3n 2.19.52 y versi\u00f3n 2.19.54 - 2.19.103, as\u00ed como a WhatsApp Business para Android comenzando en la versi\u00f3n v2.19.22 hasta v2.19.38."}], "id": "CVE-2019-3566", "lastModified": "2021-09-14T12:15:52.360", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-05-10T21:29:00.303", "references": [{"source": "cve-assign@fb.com", "tags": ["Third Party Advisory"], "url": "https://www.facebook.com/security/advisories/cve-2019-3566"}], "sourceIdentifier": "cve-assign@fb.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-284"}], "source": "cve-assign@fb.com", "type": "Secondary"}]}