Vulnerability Details : CVE-2021-41861
The Telegram application 7.5.0 through 7.8.0 for Android does not properly implement image self-destruction, a different vulnerability than CVE-2019-16248. After approximately two to four uses of the self-destruct feature, there is a misleading UI indication that an image was deleted (on both the sender and recipient sides). The images are still present in the /Storage/Emulated/0/Telegram/Telegram Image/ directory.
Products affected by CVE-2021-41861
Exploit prediction scoring system (EPSS) score for CVE-2021-41861
0.05%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 12 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-41861
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
2.1
|
LOW | AV:L/AC:L/Au:N/C:N/I:P/A:N |
3.9
|
2.9
|
NIST | |
3.3
|
LOW | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
1.8
|
1.4
|
NIST |
References for CVE-2021-41861
-
https://pikabu.ru/story/konfidentsialnost_polzovateley_telegram_snova_narushena_predstaviteli_messendzhera_trebuyut_ne_raskryivat_podrobnostey_8511495
Third Party Advisory
-
https://habr.com/ru/post/580582/
Конфиденциальность пользователей Telegram снова нарушена. Представители мессенджера требуют не раскрывать подробностей / ХабрThird Party Advisory
-
https://desktop.telegram.org/changelog#v-2-6-23-02-21
Version historyRelease Notes;Vendor Advisory
-
https://telegram.org/blog/autodelete-inv2/ru#avtomaticheskoe-udalenie-soobschenii
Автоудаление, виджеты и временные ссылки для приглашенийVendor Advisory
Jump to