Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2023-38537

Summary
Assigner-facebook
Assigner Org ID-4fc57720-52fe-4431-a0fb-3d2c8747b827
Published At-04 Oct, 2023 | 19:09
Updated At-19 Sep, 2024 | 15:27
Rejected At-
Credits

A race condition in a network transport subsystem led to a heap use-after-free issue in established or unsilenced incoming audio/video calls that could have resulted in app termination or unexpected control flow with very low probability.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:facebook
Assigner Org ID:4fc57720-52fe-4431-a0fb-3d2c8747b827
Published At:04 Oct, 2023 | 19:09
Updated At:19 Sep, 2024 | 15:27
Rejected At:
▼CVE Numbering Authority (CNA)

A race condition in a network transport subsystem led to a heap use-after-free issue in established or unsilenced incoming audio/video calls that could have resulted in app termination or unexpected control flow with very low probability.

Affected Products
Vendor
FacebookFacebook
Product
WhatsApp Desktop for Mac
Default Status
affected
Versions
Affected
  • From 0 before 2.2338.12 (semver)
Vendor
FacebookFacebook
Product
WhatsApp Desktop for Windows
Default Status
affected
Versions
Affected
  • From 0 before 2.2320.2 (semver)
Vendor
FacebookFacebook
Product
WhatsApp Business for iOS
Default Status
affected
Versions
Affected
  • From 0 before 2.23.10.77 (semver)
Vendor
FacebookFacebook
Product
WhatsApp for iOS
Default Status
affected
Versions
Affected
  • From 0 before 2.23.10.77 (semver)
Vendor
FacebookFacebook
Product
WhatsApp Business for Android
Default Status
affected
Versions
Affected
  • From 0 before 2.23.10.77 (semver)
Vendor
FacebookFacebook
Product
WhatsApp for Android
Default Status
affected
Versions
Affected
  • From 0 before 2.23.10.77 (semver)
Problem Types
TypeCWE IDDescription
N/AN/ACWE-416, CWE-366
Type: N/A
CWE ID: N/A
Description: CWE-416, CWE-366
Metrics
VersionBase scoreBase severityVector
3.15.6MEDIUM
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
Version: 3.1
Base score: 5.6
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.whatsapp.com/security/advisories/2023/
x_refsource_CONFIRM
Hyperlink: https://www.whatsapp.com/security/advisories/2023/
Resource:
x_refsource_CONFIRM
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.whatsapp.com/security/advisories/2023/
x_refsource_CONFIRM
x_transferred
Hyperlink: https://www.whatsapp.com/security/advisories/2023/
Resource:
x_refsource_CONFIRM
x_transferred
2. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve-assign@fb.com
Published At:04 Oct, 2023 | 20:15
Updated At:07 Nov, 2023 | 04:17

A race condition in a network transport subsystem led to a heap use-after-free issue in established or unsilenced incoming audio/video calls that could have resulted in app termination or unexpected control flow with very low probability.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.15.6MEDIUM
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Secondary3.15.6MEDIUM
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Type: Primary
Version: 3.1
Base score: 5.6
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Type: Secondary
Version: 3.1
Base score: 5.6
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
CPE Matches
WhatsApp LLC
whatsapp
>>whatsapp>>Versions before 2.2338.12(exclusive)
cpe:2.3:a:whatsapp:whatsapp:*:*:*:*:desktop:mac_os_x:*:*
Weaknesses
CWE IDTypeSource
CWE-362Primarynvd@nist.gov
CWE ID: CWE-362
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://www.whatsapp.com/security/advisories/2023/cve-assign@fb.com
Vendor Advisory
Hyperlink: https://www.whatsapp.com/security/advisories/2023/
Source: cve-assign@fb.com
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

0Records found
CVE-2021-24033
Matching Score-8
Assigner-Meta Platforms, Inc.
ShareView Details
Matching Score-8
Assigner-Meta Platforms, Inc.
CVSS Score-5.6||MEDIUM
EPSS-1.44% / 79.90%
||
7 Day CHG~0.00%
Published-09 Mar, 2021 | 00:25
Updated-03 Aug, 2024 | 19:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

react-dev-utils prior to v11.0.4 exposes a function, getProcessForPort, where an input argument is concatenated into a command string to be executed. This function is typically used from react-scripts (in Create React App projects), where the usage is safe. Only when this function is manually invoked with user-provided values (ie: by custom code) is there the potential for command injection. If you're consuming it from react-scripts then this issue does not affect you.

Action-Not Available
Vendor-Facebook
Product-react-dev-utilsreact-dev-utils
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-38538
Matching Score-6
Assigner-Meta Platforms, Inc.
ShareView Details
Matching Score-6
Assigner-Meta Platforms, Inc.
CVSS Score-5||MEDIUM
EPSS-0.09% / 26.51%
||
7 Day CHG~0.00%
Published-04 Oct, 2023 | 19:10
Updated-19 Sep, 2024 | 15:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A race condition in an event subsystem led to a heap use-after-free issue in established audio/video calls that could have resulted in app termination or unexpected control flow with very low probability.

Action-Not Available
Vendor-WhatsApp LLCFacebook
Product-whatsappWhatsApp Desktop for WindowsWhatsApp Business for AndroidWhatsApp for iOSWhatsApp Business for iOSWhatsApp Desktop for MacWhatsApp for Android
CWE ID-CWE-362
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVE-2019-11922
Matching Score-6
Assigner-Meta Platforms, Inc.
ShareView Details
Matching Score-6
Assigner-Meta Platforms, Inc.
CVSS Score-8.1||HIGH
EPSS-0.65% / 69.97%
||
7 Day CHG~0.00%
Published-25 Jul, 2019 | 20:32
Updated-04 Aug, 2024 | 23:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A race condition in the one-pass compression functions of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used.

Action-Not Available
Vendor-Facebook
Product-zstandardZstandard
CWE ID-CWE-362
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Details not found