Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
Required
Privileges Required
None
Attack Vector
Local
0

Stack-based buffer overflow could be triggered in WhatsApp with a malicious MP4 file

Disclosure Date: November 14, 2019
CVE-2019-11931 CVSS v3 Base Score: 7.8
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

A stack-based buffer overflow could be triggered in WhatsApp by sending a specially crafted MP4 file to a WhatsApp user. The issue was present in parsing the elementary stream metadata of an MP4 file and could result in a DoS or RCE. This affects Android versions prior to 2.19.274, iOS versions prior to 2.19.100, Enterprise Client versions prior to 2.25.3, Business for Android versions prior to 2.19.104 and Business for iOS versions prior to 2.19.100.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics
Base Score:
7.8 High
Impact Score:
5.9
Exploitability Score:
1.8
Vector:
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector (AV):
Local
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
Required
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Offensive Application
exploit
Utility Class
rce
Ports
Unknown
OS
Unknown
Vulnerable Versions
WhatsApp for Android 2.19.274
WhatsApp for Android 2.19.274
WhatsApp for iOS 2.19.100
WhatsApp for iOS 2.19.100
WhatsApp for Windows Phone 2.18.368
WhatsApp Enterprise Client 2.25.3
WhatsApp Enterprise Client 2.25.3
WhatsApp Business for Android 2.19.104
WhatsApp Business for Android 2.19.104
WhatsApp Business for iOS 2.19.100
WhatsApp Business for iOS 2.19.100
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Additional Info

Authenticated
Unknown
Exploitable
Always
Reliability
Strong
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Short
Userbase/Installbase
Very Large
Patch Effectiveness
Unknown
Technical Analysis