CVE-2021-24035 — Relative Path Traversal in Whatsapp Business FOR Android

CWE-23 — Relative Path Traversal CWE-22 — Path Traversal3 documents3 sources

Severity

9.1CRITICALNVD

EPSS

0.5%

top 34.68%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Facebook Whatsapp Business FOR Android Facebook Whatsapp FOR Android Whatsapp +1 more

Timeline

PublishedJun 11

Latest updateMay 24

Description

A lack of filename validation when unzipping archives prior to WhatsApp for Android v2.21.8.13 and WhatsApp Business for Android v2.21.8.13 could have allowed path traversal attacks that overwrite WhatsApp files.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:HExploitability: 3.9 | Impact: 5.2

Affected Packages4 packages

▶CVEListV5facebook/whatsapp_business_for_androidunspecified — v2.21.8.13

▶CVEListV5facebook/whatsapp_for_androidunspecified — v2.21.8.13

▶NVDwhatsapp/whatsapp_business< 2.21.8.13

▶NVDwhatsapp/whatsapp< 2.21.8.13

🔴Vulnerability Details

GHSA

GHSA-rrv8-x3gg-xhjg: A lack of filename validation when unzipping archives prior to WhatsApp for Android v2↗2022-05-24

▶

CVEList

CVE-2021-24035: A lack of filename validation when unzipping archives prior to WhatsApp for Android v2↗2021-06-11

▶