Information disclosure in Telegram for Android - CVE-2018-3986
Published: December 21, 2018 / Updated: August 15, 2020
Vulnerability identifier: #VU16674
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-3986
CWE-ID: CWE-200
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Telegram
Affected software:
Telegram for Android
Telegram for Android
Detailed vulnerability description
The vulnerability allows a local high-privileged attacker to obtain potentially sensitive information.
The vulnerability exists in the "Secret Chats" functionality of the Telegram Android messaging application due to leaving of behind photos taken and shared on the secret chats, even after the chats are deleted. A local attacker can gain access to potentially sensitive information from all applications installed on the Android device.
How to mitigate CVE-2018-3986
Install update from vendor's website.