CVE-2023-38538 - Vulnerability Details - OpenCVE

A race condition in an event subsystem led to a heap use-after-free issue in established audio/video calls that could have resulted in app termination or unexpected control flow with very low probability.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0009.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Whatsapp	Whatsapp

Configuration 1 [-]

cpe:2.3:a:whatsapp:whatsapp:*:*:*:*:desktop:windows:*:*

No data.

No data.

References

Link	Providers
https://www.whatsapp.com/security/advisories/2023/

History

Thu, 19 Sep 2024 16:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: facebook

Published: 2023-10-04T19:10:49.627Z

Updated: 2024-09-19T15:27:48.295Z

Reserved: 2023-07-19T20:34:49.827Z

Link: CVE-2023-38538

Vulnrichment

Updated: 2024-08-02T17:46:56.586Z

NVD

Status : Modified

Published: 2023-10-04T20:15:10.020

Modified: 2024-11-21T08:13:47.463

Link: CVE-2023-38538

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-38538", "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827", "state": "PUBLISHED", "assignerShortName": "facebook", "dateReserved": "2023-07-19T20:34:49.827Z", "datePublished": "2023-10-04T19:10:49.627Z", "dateUpdated": "2024-09-19T15:27:48.295Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "WhatsApp Desktop for Mac", "vendor": "Facebook", "versions": [{"lessThan": "2.2338.12", "status": "affected", "version": "0", "versionType": "semver"}]}, {"defaultStatus": "affected", "product": "WhatsApp Desktop for Windows", "vendor": "Facebook", "versions": [{"lessThan": "2.2320.2", "status": "affected", "version": "0", "versionType": "semver"}]}, {"defaultStatus": "affected", "product": "WhatsApp Business for iOS", "vendor": "Facebook", "versions": [{"lessThan": "2.23.10.77", "status": "affected", "version": "0", "versionType": "semver"}]}, {"defaultStatus": "affected", "product": "WhatsApp for iOS", "vendor": "Facebook", "versions": [{"lessThan": "2.23.10.77", "status": "affected", "version": "0", "versionType": "semver"}]}, {"defaultStatus": "affected", "product": "WhatsApp Business for Android", "vendor": "Facebook", "versions": [{"lessThan": "2.23.10.77", "status": "affected", "version": "0", "versionType": "semver"}]}, {"defaultStatus": "affected", "product": "WhatsApp for Android", "vendor": "Facebook", "versions": [{"lessThan": "2.23.10.77", "status": "affected", "version": "0", "versionType": "semver"}]}], "dateAssigned": "2023-07-19T00:00:00", "descriptions": [{"lang": "en", "value": "A race condition in an event subsystem led to a heap use-after-free issue in established audio/video calls that could have resulted in app termination or unexpected control flow with very low probability."}], "problemTypes": [{"descriptions": [{"description": "CWE-416, CWE-366", "lang": "en"}]}], "providerMetadata": {"orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827", "shortName": "facebook", "dateUpdated": "2023-10-04T19:10:49.627Z"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.whatsapp.com/security/advisories/2023/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C", "baseScore": 5, "baseSeverity": "MEDIUM"}}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T17:46:56.586Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.whatsapp.com/security/advisories/2023/"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-19T15:27:40.316899Z", "id": "CVE-2023-38538", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-19T15:27:48.295Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.whatsapp.com/security/advisories/2023/", "tags": ["x_refsource_CONFIRM", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T17:46:56.586Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-38538", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-19T15:27:40.316899Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-19T15:27:45.758Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Facebook", "product": "WhatsApp Desktop for Mac", "versions": [{"status": "affected", "version": "0", "lessThan": "2.2338.12", "versionType": "semver"}], "defaultStatus": "affected"}, {"vendor": "Facebook", "product": "WhatsApp Desktop for Windows", "versions": [{"status": "affected", "version": "0", "lessThan": "2.2320.2", "versionType": "semver"}], "defaultStatus": "affected"}, {"vendor": "Facebook", "product": "WhatsApp Business for iOS", "versions": [{"status": "affected", "version": "0", "lessThan": "2.23.10.77", "versionType": "semver"}], "defaultStatus": "affected"}, {"vendor": "Facebook", "product": "WhatsApp for iOS", "versions": [{"status": "affected", "version": "0", "lessThan": "2.23.10.77", "versionType": "semver"}], "defaultStatus": "affected"}, {"vendor": "Facebook", "product": "WhatsApp Business for Android", "versions": [{"status": "affected", "version": "0", "lessThan": "2.23.10.77", "versionType": "semver"}], "defaultStatus": "affected"}, {"vendor": "Facebook", "product": "WhatsApp for Android", "versions": [{"status": "affected", "version": "0", "lessThan": "2.23.10.77", "versionType": "semver"}], "defaultStatus": "affected"}], "references": [{"url": "https://www.whatsapp.com/security/advisories/2023/", "tags": ["x_refsource_CONFIRM"]}], "dateAssigned": "2023-07-19T00:00:00", "descriptions": [{"lang": "en", "value": "A race condition in an event subsystem led to a heap use-after-free issue in established audio/video calls that could have resulted in app termination or unexpected control flow with very low probability."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-416, CWE-366"}]}], "providerMetadata": {"orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827", "shortName": "facebook", "dateUpdated": "2023-10-04T19:10:49.627Z"}}}, "cveMetadata": {"cveId": "CVE-2023-38538", "state": "PUBLISHED", "dateUpdated": "2024-09-19T15:27:48.295Z", "dateReserved": "2023-07-19T20:34:49.827Z", "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827", "datePublished": "2023-10-04T19:10:49.627Z", "assignerShortName": "facebook"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:whatsapp:whatsapp:*:*:*:*:desktop:windows:*:*", "matchCriteriaId": "59B97470-3259-479B-A43F-13FAD03299F6", "versionEndExcluding": "2.2320.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A race condition in an event subsystem led to a heap use-after-free issue in established audio/video calls that could have resulted in app termination or unexpected control flow with very low probability."}, {"lang": "es", "value": "Una condici\u00f3n de ejecuci\u00f3n en un subsistema de eventos provoc\u00f3 un problema de use-after-free en llamadas de audio/video establecidas que podr\u00eda haber resultado en la terminaci\u00f3n de la aplicaci\u00f3n o en un flujo de control inesperado con muy baja probabilidad."}], "id": "CVE-2023-38538", "lastModified": "2024-11-21T08:13:47.463", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.4, "source": "cve-assign@fb.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-10-04T20:15:10.020", "references": [{"source": "cve-assign@fb.com", "tags": ["Vendor Advisory"], "url": "https://www.whatsapp.com/security/advisories/2023/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.whatsapp.com/security/advisories/2023/"}], "sourceIdentifier": "cve-assign@fb.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-362"}], "source": "nvd@nist.gov", "type": "Primary"}]}