CVE-2021-41861 - OpenCVE

The Telegram application 7.5.0 through 7.8.0 for Android does not properly implement image self-destruction, a different vulnerability than CVE-2019-16248. After approximately two to four uses of the self-destruct feature, there is a misleading UI indication that an image was deleted (on both the sender and recipient sides). The images are still present in the /Storage/Emulated/0/Telegram/Telegram Image/ directory.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:L/AC:L/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Telegram	Telegram

Configuration 1 [-]

cpe:2.3:a:telegram:telegram:*:*:*:*:*:android:*:*

No data.

References

Link	Providers
https://desktop.telegram.org/changelog#v-2-6-23-02-21
https://habr.com/ru/post/580582/
https://pikabu.ru/story/konfidentsialnost_polzovateley_telegram_snova_narushena_predstaviteli_messendzhera_trebuyut_ne_raskryivat_podrobnostey_8511495
https://telegram.org/blog/autodelete-inv2/ru#avtomaticheskoe-udalenie-soobschenii

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2021-10-04T02:58:42

Updated: 2024-08-04T03:22:25.000Z

Reserved: 2021-10-01T00:00:00

Link: CVE-2021-41861

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-10-04T03:15:16.787

Modified: 2021-10-08T17:28:07.073

Link: CVE-2021-41861

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "The Telegram application 7.5.0 through 7.8.0 for Android does not properly implement image self-destruction, a different vulnerability than CVE-2019-16248. After approximately two to four uses of the self-destruct feature, there is a misleading UI indication that an image was deleted (on both the sender and recipient sides). The images are still present in the /Storage/Emulated/0/Telegram/Telegram Image/ directory."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-10-04T02:58:42", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://habr.com/ru/post/580582/"}, {"tags": ["x_refsource_MISC"], "url": "https://telegram.org/blog/autodelete-inv2/ru#avtomaticheskoe-udalenie-soobschenii"}, {"tags": ["x_refsource_MISC"], "url": "https://desktop.telegram.org/changelog#v-2-6-23-02-21"}, {"tags": ["x_refsource_MISC"], "url": "https://pikabu.ru/story/konfidentsialnost_polzovateley_telegram_snova_narushena_predstaviteli_messendzhera_trebuyut_ne_raskryivat_podrobnostey_8511495"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-41861", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Telegram application 7.5.0 through 7.8.0 for Android does not properly implement image self-destruction, a different vulnerability than CVE-2019-16248. After approximately two to four uses of the self-destruct feature, there is a misleading UI indication that an image was deleted (on both the sender and recipient sides). The images are still present in the /Storage/Emulated/0/Telegram/Telegram Image/ directory."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://habr.com/ru/post/580582/", "refsource": "MISC", "url": "https://habr.com/ru/post/580582/"}, {"name": "https://telegram.org/blog/autodelete-inv2/ru#avtomaticheskoe-udalenie-soobschenii", "refsource": "MISC", "url": "https://telegram.org/blog/autodelete-inv2/ru#avtomaticheskoe-udalenie-soobschenii"}, {"name": "https://desktop.telegram.org/changelog#v-2-6-23-02-21", "refsource": "MISC", "url": "https://desktop.telegram.org/changelog#v-2-6-23-02-21"}, {"name": "https://pikabu.ru/story/konfidentsialnost_polzovateley_telegram_snova_narushena_predstaviteli_messendzhera_trebuyut_ne_raskryivat_podrobnostey_8511495", "refsource": "MISC", "url": "https://pikabu.ru/story/konfidentsialnost_polzovateley_telegram_snova_narushena_predstaviteli_messendzhera_trebuyut_ne_raskryivat_podrobnostey_8511495"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T03:22:25.000Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://habr.com/ru/post/580582/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://telegram.org/blog/autodelete-inv2/ru#avtomaticheskoe-udalenie-soobschenii"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://desktop.telegram.org/changelog#v-2-6-23-02-21"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://pikabu.ru/story/konfidentsialnost_polzovateley_telegram_snova_narushena_predstaviteli_messendzhera_trebuyut_ne_raskryivat_podrobnostey_8511495"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-41861", "datePublished": "2021-10-04T02:58:42", "dateReserved": "2021-10-01T00:00:00", "dateUpdated": "2024-08-04T03:22:25.000Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:telegram:telegram:*:*:*:*:*:android:*:*", "matchCriteriaId": "94BF559C-E665-4B7A-9AFF-93743FBB3AEA", "versionEndIncluding": "7.8.0", "versionStartIncluding": "7.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Telegram application 7.5.0 through 7.8.0 for Android does not properly implement image self-destruction, a different vulnerability than CVE-2019-16248. After approximately two to four uses of the self-destruct feature, there is a misleading UI indication that an image was deleted (on both the sender and recipient sides). The images are still present in the /Storage/Emulated/0/Telegram/Telegram Image/ directory."}, {"lang": "es", "value": "La aplicaci\u00f3n Telegram versiones 7.5.0 hasta 7.8.0 para Android no implementa correctamente la autodestrucci\u00f3n de im\u00e1genes, una vulnerabilidad diferente a la de CVE-2019-16248. Despu\u00e9s de aproximadamente dos a cuatro usos de la funcionalidad de autodestrucci\u00f3n, presenta una indicaci\u00f3n de interfaz de usuario enga\u00f1osa de que una imagen fue eliminada (tanto en el lado del remitente como del destinatario). Las im\u00e1genes siguen presentes en el directorio /Storage/Emulated/0/Telegram/Telegram Image/"}], "id": "CVE-2021-41861", "lastModified": "2021-10-08T17:28:07.073", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-10-04T03:15:16.787", "references": [{"source": "cve@mitre.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://desktop.telegram.org/changelog#v-2-6-23-02-21"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://habr.com/ru/post/580582/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://pikabu.ru/story/konfidentsialnost_polzovateley_telegram_snova_narushena_predstaviteli_messendzhera_trebuyut_ne_raskryivat_podrobnostey_8511495"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://telegram.org/blog/autodelete-inv2/ru#avtomaticheskoe-udalenie-soobschenii"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}