SB2021012802 - Gentoo update for Telegram Desktop 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2021012802

SB2021012802 - Gentoo update for Telegram Desktop

Published: January 28, 2021

Security Bulletin ID SB2021012802
Severity
Medium
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) Input validation error (CVE-ID: CVE-2020-17448)

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to insufficient validation of user-supplied input when processing files without extensions. A remote attacker can pass a malicious file without file extension with a spoofed content type and compromise the affected system.


2) Missing Authorization (CVE-ID: CVE-2020-25824)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to the application does not require passcode entry upon pushing the Export key within the Export Telegram Data wizard. The threat model is a victim who has voluntarily opened Export Wizard but is then distracted. An attacker then approaches the unattended desktop and pushes the Export key. This attacker may consequently gain access to all chat conversation and media files.


Remediation

Install update from vendor's website.

References