CVE-2019-3568

Published May 14, 2019

Last updated 4 months ago

Exploit known

Overview

Description: A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of RTCP packets sent to a target phone number. The issue affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15.
Source: cve-assign@fb.com
NVD status: Analyzed

Hype score: Not currently trending

Risk scores

CVSS 3.1

Type: Primary
Base score: 9.8
Impact score: 5.9
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: CRITICAL

CVSS 2.0

Type: Primary
Base score: 7.5
Impact score: 6.4
Exploitability score: 10
Vector string: AV:N/AC:L/Au:N/C:P/I:P/A:P

Known exploits

Data from CISA

Vulnerability name: WhatsApp VOIP Stack Buffer Overflow Vulnerability
Exploit added on: Apr 19, 2022
Exploit action due: May 10, 2022
Required action: Apply updates per vendor instructions.

Weaknesses

nvd@nist.gov: CWE-119
cve-assign@fb.com: CWE-122

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:whatsapp:whatsapp:*:*:*:*:*:tizen:*:*",
            "vulnerable": true,
            "matchCriteriaId": "49A0C7E5-1C25-4EA2-9436-A7922ACACB9B",
            "versionEndExcluding": "2.18.15"
          },
          {
            "criteria": "cpe:2.3:a:whatsapp:whatsapp:*:*:*:*:*:windows_phone:*:*",
            "vulnerable": true,
            "matchCriteriaId": "449816D3-570F-47D7-A70D-9351A4A6F190",
            "versionEndExcluding": "2.18.348"
          },
          {
            "criteria": "cpe:2.3:a:whatsapp:whatsapp:*:*:*:*:business:android:*:*",
            "vulnerable": true,
            "matchCriteriaId": "40408328-5F07-4AF3-A7A5-231D6EB05E9F",
            "versionEndExcluding": "2.19.44"
          },
          {
            "criteria": "cpe:2.3:a:whatsapp:whatsapp:*:*:*:*:*:iphone_os:*:*",
            "vulnerable": true,
            "matchCriteriaId": "84F1BA88-BA43-4857-B4C2-A32FA2937C11",
            "versionEndExcluding": "2.19.51"
          },
          {
            "criteria": "cpe:2.3:a:whatsapp:whatsapp:*:*:*:*:business:iphone_os:*:*",
            "vulnerable": true,
            "matchCriteriaId": "5C0EFE9B-7E98-40D7-A7CF-789F9E96F876",
            "versionEndExcluding": "2.19.51"
          },
          {
            "criteria": "cpe:2.3:a:whatsapp:whatsapp:*:*:*:*:*:android:*:*",
            "vulnerable": true,
            "matchCriteriaId": "B36B6FF7-DC69-4A5C-9FE7-EB127E6D0AA1",
            "versionEndExcluding": "2.19.134"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

Overview

Social media

Risk scores

CVSS 3.1

CVSS 2.0

Known exploits

Weaknesses

Configurations

References