CVE-2023-38537 - Vulnerability Details - OpenCVE

A race condition in a network transport subsystem led to a heap use-after-free issue in established or unsilenced incoming audio/video calls that could have resulted in app termination or unexpected control flow with very low probability.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00111.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Whatsapp	Whatsapp

Configuration 1 [-]

cpe:2.3:a:whatsapp:whatsapp:*:*:*:*:desktop:mac_os_x:*:*

No data.

No data.

References

Link	Providers
https://www.whatsapp.com/security/advisories/2023/

History

Thu, 19 Sep 2024 16:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: facebook

Published: 2023-10-04T19:09:58.086Z

Updated: 2024-09-19T15:27:23.286Z

Reserved: 2023-07-19T20:34:49.827Z

Link: CVE-2023-38537

Vulnrichment

Updated: 2024-08-02T17:46:56.022Z

NVD

Status : Modified

Published: 2023-10-04T20:15:09.927

Modified: 2024-11-21T08:13:47.330

Link: CVE-2023-38537

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-38537", "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827", "state": "PUBLISHED", "assignerShortName": "facebook", "dateReserved": "2023-07-19T20:34:49.827Z", "datePublished": "2023-10-04T19:09:58.086Z", "dateUpdated": "2024-09-19T15:27:23.286Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "WhatsApp Desktop for Mac", "vendor": "Facebook", "versions": [{"lessThan": "2.2338.12", "status": "affected", "version": "0", "versionType": "semver"}]}, {"defaultStatus": "affected", "product": "WhatsApp Desktop for Windows", "vendor": "Facebook", "versions": [{"lessThan": "2.2320.2", "status": "affected", "version": "0", "versionType": "semver"}]}, {"defaultStatus": "affected", "product": "WhatsApp Business for iOS", "vendor": "Facebook", "versions": [{"lessThan": "2.23.10.77", "status": "affected", "version": "0", "versionType": "semver"}]}, {"defaultStatus": "affected", "product": "WhatsApp for iOS", "vendor": "Facebook", "versions": [{"lessThan": "2.23.10.77", "status": "affected", "version": "0", "versionType": "semver"}]}, {"defaultStatus": "affected", "product": "WhatsApp Business for Android", "vendor": "Facebook", "versions": [{"lessThan": "2.23.10.77", "status": "affected", "version": "0", "versionType": "semver"}]}, {"defaultStatus": "affected", "product": "WhatsApp for Android", "vendor": "Facebook", "versions": [{"lessThan": "2.23.10.77", "status": "affected", "version": "0", "versionType": "semver"}]}], "dateAssigned": "2023-07-19T00:00:00", "descriptions": [{"lang": "en", "value": "A race condition in a network transport subsystem led to a heap use-after-free issue in established or unsilenced incoming audio/video calls that could have resulted in app termination or unexpected control flow with very low probability."}], "problemTypes": [{"descriptions": [{"description": "CWE-416, CWE-366", "lang": "en"}]}], "providerMetadata": {"orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827", "shortName": "facebook", "dateUpdated": "2023-10-04T19:09:58.086Z"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.whatsapp.com/security/advisories/2023/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", "baseScore": 5.6, "baseSeverity": "MEDIUM"}}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T17:46:56.022Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.whatsapp.com/security/advisories/2023/"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-19T15:27:15.314042Z", "id": "CVE-2023-38537", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-19T15:27:23.286Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.whatsapp.com/security/advisories/2023/", "tags": ["x_refsource_CONFIRM", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T17:46:56.022Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-38537", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-19T15:27:15.314042Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-19T15:27:19.792Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 5.6, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Facebook", "product": "WhatsApp Desktop for Mac", "versions": [{"status": "affected", "version": "0", "lessThan": "2.2338.12", "versionType": "semver"}], "defaultStatus": "affected"}, {"vendor": "Facebook", "product": "WhatsApp Desktop for Windows", "versions": [{"status": "affected", "version": "0", "lessThan": "2.2320.2", "versionType": "semver"}], "defaultStatus": "affected"}, {"vendor": "Facebook", "product": "WhatsApp Business for iOS", "versions": [{"status": "affected", "version": "0", "lessThan": "2.23.10.77", "versionType": "semver"}], "defaultStatus": "affected"}, {"vendor": "Facebook", "product": "WhatsApp for iOS", "versions": [{"status": "affected", "version": "0", "lessThan": "2.23.10.77", "versionType": "semver"}], "defaultStatus": "affected"}, {"vendor": "Facebook", "product": "WhatsApp Business for Android", "versions": [{"status": "affected", "version": "0", "lessThan": "2.23.10.77", "versionType": "semver"}], "defaultStatus": "affected"}, {"vendor": "Facebook", "product": "WhatsApp for Android", "versions": [{"status": "affected", "version": "0", "lessThan": "2.23.10.77", "versionType": "semver"}], "defaultStatus": "affected"}], "references": [{"url": "https://www.whatsapp.com/security/advisories/2023/", "tags": ["x_refsource_CONFIRM"]}], "dateAssigned": "2023-07-19T00:00:00", "descriptions": [{"lang": "en", "value": "A race condition in a network transport subsystem led to a heap use-after-free issue in established or unsilenced incoming audio/video calls that could have resulted in app termination or unexpected control flow with very low probability."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-416, CWE-366"}]}], "providerMetadata": {"orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827", "shortName": "facebook", "dateUpdated": "2023-10-04T19:09:58.086Z"}}}, "cveMetadata": {"cveId": "CVE-2023-38537", "state": "PUBLISHED", "dateUpdated": "2024-09-19T15:27:23.286Z", "dateReserved": "2023-07-19T20:34:49.827Z", "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827", "datePublished": "2023-10-04T19:09:58.086Z", "assignerShortName": "facebook"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:whatsapp:whatsapp:*:*:*:*:desktop:mac_os_x:*:*", "matchCriteriaId": "7C6CEBF5-6C77-4B03-8964-203FA2416CC7", "versionEndExcluding": "2.2338.12", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A race condition in a network transport subsystem led to a heap use-after-free issue in established or unsilenced incoming audio/video calls that could have resulted in app termination or unexpected control flow with very low probability."}, {"lang": "es", "value": "Una condici\u00f3n de ejecuci\u00f3n en un subsistema de transporte de red provoc\u00f3 un problema de use-after-free en llamadas de audio/video entrantes establecidas o no silenciadas que podr\u00edan haber resultado en la terminaci\u00f3n de la aplicaci\u00f3n o en un flujo de control inesperado con muy baja probabilidad."}], "id": "CVE-2023-38537", "lastModified": "2024-11-21T08:13:47.330", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.4, "source": "cve-assign@fb.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-10-04T20:15:09.927", "references": [{"source": "cve-assign@fb.com", "tags": ["Vendor Advisory"], "url": "https://www.whatsapp.com/security/advisories/2023/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.whatsapp.com/security/advisories/2023/"}], "sourceIdentifier": "cve-assign@fb.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-362"}], "source": "nvd@nist.gov", "type": "Primary"}]}