Vulnerability Details : CVE-2020-1902
A user running a quick search on a highly forwarded message on WhatsApp for Android from v2.20.108 to v2.20.140 or WhatsApp Business for Android from v2.20.35 to v2.20.49 could have been sent to the Google service over plain HTTP.
Vulnerability category: Information leak
Products affected by CVE-2020-1902
- Whatsapp » Whatsapp » For AndroidVersions from including (>=) 2.20.108 and up to, including, (<=) 2.20.140cpe:2.3:a:whatsapp:whatsapp:*:*:*:*:*:android:*:*
- Whatsapp » Whatsapp Business » For AndroidVersions from including (>=) 2.20.35 and up to, including, (<=) 2.20.49cpe:2.3:a:whatsapp:whatsapp_business:*:*:*:*:*:android:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-1902
0.15%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 32 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-1902
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2020-1902
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: cve-assign@fb.com (Secondary)
-
The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-1902
-
https://www.whatsapp.com/security/advisories/2020/
WhatsApp Security AdvisoriesVendor Advisory
Jump to