Last Modified: Feb. 2, 2023
** DISPUTED ** Signal Desktop before 6.2.0 on Windows, Linux, and macOS allows an attacker to obtain potentially sensitive attachments sent in messages from the attachments.noindex directory. Cached attachments are not effectively cleared. In some cases, even after a self-initiated file deletion, an attacker can still recover the file if it was previously replied to in a conversation. (Local filesystem access is needed by the attacker.) NOTE: the vendor disputes the relevance of this finding because the product is not intended to protect against adversaries with this degree of local access.
Tweets last week: 28
Remaining steady
Yahoo results: 322000000
Remaining steady
Current EPSS Score: 0.01669
Remaining steady
Reddit Posts: 6
Remaining steady
Github Repos: 1
Remaining steady
Found exploits:
Attack Vector: Local
Attack Complexity: Low
Privileges Required: Low
User Interaction: None
Scope: Unchanged
Confidentiality: Low
Integrity: None
Availability: None
Base Score: 3.3
Exploitability Score:
1.8
Impact Score: 1.4
CVSS V3: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
NVD-CWE-noinfo
| Condition | Configuration | |
|---|---|---|
| AND | ||
| OR | ||
| OR | ||
| cpe:2.3:a:signal:signal-desktop:*:*:*:*:*:*:*:* Part: a Vendor: signal | Alle Schwachstellen für signal | |
| OR | ||
| OR | ||
| cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:* Part: o Vendor: apple | Alle Schwachstellen für apple | |
| cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:* Part: o Vendor: linux | Alle Schwachstellen für linux | |
| cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:* Part: o Vendor: microsoft | Alle Schwachstellen für microsoft | |
Description:
Signal Desktop before 6.2.0 on Windows, Linux, and macOS allows an attacker to obtain potentially sensitive attachments sent in messages from the attachments.noindex directory. Cached attachments are not effectively cleared. In some cases, even after a self-initiated file deletion, an attacker can still recover the file if it was previously replied to in a conversation. (Local filesystem access is needed by the attacker.)
CWE-ID:
Not defined
Base Score V3:
Not defined
Exploitability Score V3:
Not defined
Impact Score V3:
Not defined
Cvss Vector V3:
Not defined
<?xml version="1.0" ?>
<set operator="and">
<set operator="and">
<set operator="or">
<prop key="application" value="cpe:2.3:a:signal:signal-desktop:*:*:*:*:*:*:*:*"/>
</set>
<set operator="or">
<prop key="operating_system" value="cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*"/>
<prop key="operating_system" value="cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"/>
<prop key="operating_system" value="cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*"/>
</set>
</set>
</set>
<?xml version="1.0" ?>
<set operator="and">
<set operator="and">
<set operator="or">
<prop key="application" value="cpe:2.3:a:signal:signal-desktop:*:*:*:*:*:*:*:*"/>
</set>
<set operator="or">
<prop key="operating_system" value="cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*"/>
<prop key="operating_system" value="cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"/>
<prop key="operating_system" value="cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*"/>
</set>
</set>
<prop key="program_influence" value="input"/>
</set>