ID: CVE-2023-24069

Last Modified: Feb. 2, 2023

** DISPUTED ** Signal Desktop before 6.2.0 on Windows, Linux, and macOS allows an attacker to obtain potentially sensitive attachments sent in messages from the attachments.noindex directory. Cached attachments are not effectively cleared. In some cases, even after a self-initiated file deletion, an attacker can still recover the file if it was previously replied to in a conversation. (Local filesystem access is needed by the attacker.) NOTE: the vendor disputes the relevance of this finding because the product is not intended to protect against adversaries with this degree of local access.

Twitter Activity

Tweets last week: 28

Remaining steady

Yahoo Activity

Yahoo results: 322000000

Remaining steady

EPSS History

Current EPSS Score: 0.01669

Remaining steady


Reddit Activity

Reddit Posts: 6

Remaining steady

Github Repos

Github Repos: 1

Remaining steady

Exploits

Found exploits:

Attack Vector: Local

Attack Complexity: Low

Privileges Required: Low

User Interaction: None

Scope: Unchanged

Confidentiality: Low

Integrity: None

Availability: None

Base Score: 3.3

Exploitability Score: 1.8

Impact Score: 1.4

CVSS V3: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Specialize CVSS-Score

NVD-CWE-noinfo

Condition Configuration
AND
OR
OR
Alle Schwachstellen für signal
OR
OR
Alle Schwachstellen für apple
Alle Schwachstellen für linux
Alle Schwachstellen für microsoft
Date: Jan. 26, 2023

Description: Signal Desktop before 6.2.0 on Windows, Linux, and macOS allows an attacker to obtain potentially sensitive attachments sent in messages from the attachments.noindex directory. Cached attachments are not effectively cleared. In some cases, even after a self-initiated file deletion, an attacker can still recover the file if it was previously replied to in a conversation. (Local filesystem access is needed by the attacker.)



Date: Feb. 2, 2023

CWE-ID: Not defined
Base Score V3: Not defined
Exploitability Score V3: Not defined
Impact Score V3: Not defined
Cvss Vector V3: Not defined



                    <?xml version="1.0" ?>
<set operator="and">
    <set operator="and">
        <set operator="or">
            <prop key="application" value="cpe:2.3:a:signal:signal-desktop:*:*:*:*:*:*:*:*"/>
        </set>
        <set operator="or">
            <prop key="operating_system" value="cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*"/>
            <prop key="operating_system" value="cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"/>
            <prop key="operating_system" value="cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*"/>
        </set>
    </set>
</set>

                  
                      <?xml version="1.0" ?>
<set operator="and">
    <set operator="and">
        <set operator="or">
            <prop key="application" value="cpe:2.3:a:signal:signal-desktop:*:*:*:*:*:*:*:*"/>
        </set>
        <set operator="or">
            <prop key="operating_system" value="cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*"/>
            <prop key="operating_system" value="cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"/>
            <prop key="operating_system" value="cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*"/>
        </set>
    </set>
    <prop key="program_influence" value="input"/>
</set>