Information disclosure in WhatsApp Messenger for Android - CVE-2019-3566
Published: May 10, 2019 / Updated: August 8, 2020
Vulnerability identifier: #VU35918
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2019-3566
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: WhatsApp
Affected software:
WhatsApp Messenger for Android
WhatsApp Messenger for Android
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
A bug in WhatsApp for Android's messaging logic would potentially allow a malicious individual who has taken over over a WhatsApp user's account to recover previously sent messages. This behavior requires independent knowledge of metadata for previous messages, which are not available publicly. This issue affects WhatsApp for Android 2.19.52 and 2.19.54 - 2.19.103, as well as WhatsApp Business for Android starting in v2.19.22 until v2.19.38.
How to mitigate CVE-2019-3566
Install update from vendor's website.