CVE-2019-11931 Detail Current Description A stack-based buffer overflow could be triggered in WhatsApp by sending a specially crafted MP4 file to a WhatsApp user. The issue was present in parsing the elementary stream metadata of an MP4 file and could result in a DoS or RCE. This affects Android versions prior to 2.19.274, iOS versions prior to 2.19.100, Enterprise Client versions prior to 2.25.3, Business for Android versions prior to 2.19.104 and Business for iOS versions prior to 2.19.100.

View Analysis Description Analysis Description A stack-based buffer overflow could be triggered in WhatsApp by sending a specially crafted MP4 file to a WhatsApp user. The issue was present in parsing the elementary stream metadata of an MP4 file and could result in a DoS or RCE. This affects Android versions prior to 2.19.274, iOS versions prior to 2.19.100, Enterprise Client versions prior to 2.25.3, Business for Android versions prior to 2.19.104 and Business for iOS versions prior to 2.19.100. Severity CVSS Version 3.x CVSS Version 2.0



CVSS 3.x Severity and Metrics:

NIST: NVD Base Score: 7.8 HIGH Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS 2.0 Severity and Metrics:



NIST: NVD Base Score: 6.8 MEDIUM Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P) Weakness Enumeration CWE-ID CWE Name Source CWE-787 Out-of-bounds Write NIST CWE-121 Stack-based Buffer Overflow Facebook, Inc. Known Affected Software Configurations Switch to CPE 2.2 CPEs loading, please wait. Denotes Vulnerable Software

Are we missing a CPE here? Please let us know.

Change History 1 change records found show changes Initial Analysis 11/19/2019 8:39:00 AM Action Type Old Value New Value Added CPE Configuration Record truncated, showing 500 of 586 characters.

View Entire Change Record

OR *cpe:2.3:a:whatsapp:whatsapp:*:*:*:*:*:windows:*:* versions up to (including) 2.18.368 *cpe:2.3:a:whatsapp:whatsapp:*:*:*:*:*:iphone_os:*:* versions up to (excluding) 2.19.100 *cpe:2.3:a:whatsapp:whatsapp:*:*:*:*:*:android:*:* versions up to (excluding) 2.19.274 *cpe:2.3:a:whatsapp:whatsapp_business:*:*:*:*:*:iphone_os:*:* versions up to (excluding) 2.19.100 *cpe:2.3:a:whatsapp:whatsapp_business:*:*:*:*:*:android:*:* versions up to (excluding) 2.19.104 *cpe:2.3:a Added CVSS V2 NIST (AV:N/AC:M/Au:N/C:P/I:P/A:P)



Added CVSS V2 Metadata Victim must voluntarily interact with attack mechanism



Added CVSS V3.1 NIST AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H



Added CWE NIST CWE-787



Changed Reference Type https://www.facebook.com/security/advisories/cve-2019-11931 No Types Assigned



https://www.facebook.com/security/advisories/cve-2019-11931 Third Party Advisory



Quick Info CVE Dictionary Entry:

CVE-2019-11931

NVD Published Date:

11/14/2019

NVD Last Modified:

11/19/2019

Source:

MITRE

