CVE-2019-11931
published 2019-11-14CVE-2019-11931: A stack-based buffer overflow could be triggered in WhatsApp by sending a specially crafted MP4 file to a WhatsApp user. The issue was present in parsing the…
PriorityP338high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
EPSS
1.32%
67.3th percentile
A stack-based buffer overflow could be triggered in WhatsApp by sending a specially crafted MP4 file to a WhatsApp user. The issue was present in parsing the elementary stream metadata of an MP4 file and could result in a DoS or RCE. This affects Android versions prior to 2.19.274, iOS versions prior to 2.19.100, Enterprise Client versions prior to 2.25.3, Business for Android versions prior to 2.19.104 and Business for iOS versions prior to 2.19.100.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| whatsapp_business_for_android | — | — | |
| whatsapp_business_for_android | >= unspecified < 2.19.104 | 2.19.104 | |
| whatsapp_business_for_ios | — | — | |
| whatsapp_business_for_ios | >= unspecified < 2.19.100 | 2.19.100 | |
| whatsapp_enterprise_client | — | — | |
| whatsapp_enterprise_client | >= unspecified < 2.25.3 | 2.25.3 | |
| whatsapp_for_android | — | — | |
| whatsapp_for_android | >= unspecified < 2.19.274 | 2.19.274 | |
| whatsapp_for_ios | — | — | |
| whatsapp_for_ios | >= unspecified < 2.19.100 | 2.19.100 | |
| whatsapp_for_windows_phone | unspecified – 2.18.368 | — | |
| < 2.19.100 | 2.19.100 | ||
| < 2.19.274 | 2.19.274 | ||
| <= 2.18.368 | — | ||
| whatsapp_business | < 2.19.100 | 2.19.100 | |
| whatsapp_business | < 2.19.104 | 2.19.104 | |
| whatsapp_enterprise_client | < 2.25.3 | 2.25.3 |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6c69-f792-7pq7: A stack-based buffer overflow could be triggered in WhatsApp by sending a specially crafted MP4 file to a WhatsApp user
ghsa_unreviewed·2022-05-24
CVE-2019-11931 [MEDIUM] GHSA-6c69-f792-7pq7: A stack-based buffer overflow could be triggered in WhatsApp by sending a specially crafted MP4 file to a WhatsApp user
A stack-based buffer overflow could be triggered in WhatsApp by sending a specially crafted MP4 file to a WhatsApp user. The issue was present in parsing the elementary stream metadata of an MP4 file and could result in a DoS or RCE. This affects Android versions prior to 2.19.274, iOS versions prior to 2.19.100, Enterprise Client versions prior to 2.25.3, Business for Android versions prior to 2.19.104 and Business for iOS versions prior to 2.19.100.
Project0
Fuzzing ImageIO - Project Zero
project_zero·2020-04-01
CVE-2020-11758 Fuzzing ImageIO - Project Zero
Posted by Samuel Groß, Project Zero
This blog post discusses an old type of issue, vulnerabilities in image format parsers, in a new(er) context: on interactionless code paths in popular messenger apps. This research was focused on the Apple ecosystem and the image parsing API provided by it: the ImageIO framework. Multiple vulnerabilities in image parsing code were found, reported to Apple or the respective open source image library maintainers, and subsequently fixed. During this research, a lightweight and low-overhead guided fuzzing approach for closed source binaries was implemented and is released alongside this blogpost.
To reiterate an important point, the vulnerabilities described throughout this blog are reachable through popular messengers but are not part of their codebase.
No detection rules found.
No public exploits indexed.
2019-11-14
Published