CVE-2019-3566 - OpenCVE

A bug in WhatsApp for Android's messaging logic would potentially allow a malicious individual who has taken over over a WhatsApp user's account to recover previously sent messages. This behavior requires independent knowledge of metadata for previous messages, which are not available publicly. This issue affects WhatsApp for Android 2.19.52 and 2.19.54 - 2.19.103, as well as WhatsApp Business for Android starting in v2.19.22 until v2.19.38.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Whatsapp	Whatsapp Whatsapp Business

Configuration 1 [-]

OR	cpe:2.3:a:whatsapp:whatsapp::::::android::*
	cpe:2.3:a:whatsapp:whatsapp:2.19.52:::::android::
	cpe:2.3:a:whatsapp:whatsapp_business::::::android::*

No data.

References

Link	Providers
https://www.facebook.com/security/advisories/cve-2019-3566

History

No history.

MITRE

Status: PUBLISHED

Assigner: facebook

Published: 2019-05-10T20:58:02

Updated: 2024-08-04T19:12:09.532Z

Reserved: 2019-01-02T00:00:00

Link: CVE-2019-3566

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2019-05-10T21:29:00.303

Modified: 2021-09-14T12:15:52.360

Link: CVE-2019-3566

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "WhatsApp for Android", "vendor": "Facebook", "versions": [{"status": "affected", "version": "2.19.104"}, {"lessThan": "unspecified", "status": "affected", "version": "2.19.54", "versionType": "custom"}, {"status": "affected", "version": "2.19.52"}]}, {"product": "WhatsApp Business for Android", "vendor": "Facebook", "versions": [{"status": "affected", "version": "2.19.38"}, {"lessThan": "unspecified", "status": "affected", "version": "2.19.22", "versionType": "custom"}]}], "dateAssigned": "2019-05-09T00:00:00", "descriptions": [{"lang": "en", "value": "A bug in WhatsApp for Android's messaging logic would potentially allow a malicious individual who has taken over over a WhatsApp user's account to recover previously sent messages. This behavior requires independent knowledge of metadata for previous messages, which are not available publicly. This issue affects WhatsApp for Android 2.19.52 and 2.19.54 - 2.19.103, as well as WhatsApp Business for Android starting in v2.19.22 until v2.19.38."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "description": "Improper Access Control (CWE-284)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2019-05-15T15:48:59", "orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827", "shortName": "facebook"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.facebook.com/security/advisories/cve-2019-3566"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve-assign@fb.com", "DATE_ASSIGNED": "2019-05-09", "ID": "CVE-2019-3566", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "WhatsApp for Android", "version": {"version_data": [{"version_affected": "!=>", "version_value": "2.19.104"}, {"version_affected": ">=", "version_value": "2.19.54"}, {"version_affected": "=", "version_value": "2.19.52"}]}}, {"product_name": "WhatsApp Business for Android", "version": {"version_data": [{"version_affected": "!=>", "version_value": "2.19.38"}, {"version_affected": ">=", "version_value": "2.19.22"}]}}]}, "vendor_name": "Facebook"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A bug in WhatsApp for Android's messaging logic would potentially allow a malicious individual who has taken over over a WhatsApp user's account to recover previously sent messages. This behavior requires independent knowledge of metadata for previous messages, which are not available publicly. This issue affects WhatsApp for Android 2.19.52 and 2.19.54 - 2.19.103, as well as WhatsApp Business for Android starting in v2.19.22 until v2.19.38."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Improper Access Control (CWE-284)"}]}]}, "references": {"reference_data": [{"name": "https://www.facebook.com/security/advisories/cve-2019-3566", "refsource": "MISC", "url": "https://www.facebook.com/security/advisories/cve-2019-3566"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T19:12:09.532Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.facebook.com/security/advisories/cve-2019-3566"}]}]}, "cveMetadata": {"assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827", "assignerShortName": "facebook", "cveId": "CVE-2019-3566", "datePublished": "2019-05-10T20:58:02", "dateReserved": "2019-01-02T00:00:00", "dateUpdated": "2024-08-04T19:12:09.532Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:whatsapp:whatsapp:*:*:*:*:*:android:*:*", "matchCriteriaId": "F990E9CA-6D62-4804-8E0C-DAC9AD7DA3DE", "versionEndIncluding": "2.19.103", "versionStartIncluding": "2.19.54", "vulnerable": true}, {"criteria": "cpe:2.3:a:whatsapp:whatsapp:2.19.52:*:*:*:*:android:*:*", "matchCriteriaId": "C3AF6D26-D194-4F97-90A6-3A84ACFE6E20", "vulnerable": true}, {"criteria": "cpe:2.3:a:whatsapp:whatsapp_business:*:*:*:*:*:android:*:*", "matchCriteriaId": "D86A653D-F50C-409D-82C9-2342EEFB0F29", "versionEndIncluding": "2.19.38", "versionStartIncluding": "2.19.22", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A bug in WhatsApp for Android's messaging logic would potentially allow a malicious individual who has taken over over a WhatsApp user's account to recover previously sent messages. This behavior requires independent knowledge of metadata for previous messages, which are not available publicly. This issue affects WhatsApp for Android 2.19.52 and 2.19.54 - 2.19.103, as well as WhatsApp Business for Android starting in v2.19.22 until v2.19.38."}, {"lang": "es", "value": "Se descubri\u00f3 un error en la l\u00f3gica de mensajer\u00eda de WhatsApp para Android que permitir\u00eda potencialmente que un individuo malicioso que se haya encargado de la cuenta de un usuario de WhatsApp recupere los mensajes enviados anteriormente. Este comportamiento requiere un conocimiento independiente de los metadatos para los mensajes anteriores, que no est\u00e1n disponibles p\u00fablicamente. Este problema afecta a WhatsApp para Android versi\u00f3n 2.19.52 y versi\u00f3n 2.19.54 - 2.19.103, as\u00ed como a WhatsApp Business para Android comenzando en la versi\u00f3n v2.19.22 hasta v2.19.38."}], "id": "CVE-2019-3566", "lastModified": "2021-09-14T12:15:52.360", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-05-10T21:29:00.303", "references": [{"source": "cve-assign@fb.com", "tags": ["Third Party Advisory"], "url": "https://www.facebook.com/security/advisories/cve-2019-3566"}], "sourceIdentifier": "cve-assign@fb.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-284"}], "source": "cve-assign@fb.com", "type": "Secondary"}]}