Vulnerability Description
Open Whisper Signal (aka Signal-Desktop) through 1.23.1 and the Signal Private Messenger application through 4.35.3 for Android are vulnerable to an IDN homograph attack when displaying messages containing URLs. This occurs because the application produces a clickable link even if (for example) Latin and Cyrillic characters exist in the same domain name, and the available font has an identical representation of characters from different alphabets.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Signal | Private Messenger | <= 4.35.3 |
| Signal | Signal-Desktop | <= 1.23.1 |
References
- http://www.securityfocus.com/bid/107550Third Party AdvisoryVDB Entry
- https://github.com/blazeinfosec/advisories/blob/master/signal-advisory.txtThird Party Advisory
- http://www.securityfocus.com/bid/107550Third Party AdvisoryVDB Entry
- https://github.com/blazeinfosec/advisories/blob/master/signal-advisory.txtThird Party Advisory
FAQ
What is CVE-2019-9970?
CVE-2019-9970 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Open Whisper Signal (aka Signal-Desktop) through 1.23.1 and the Signal Private Messenger application through 4.35.3 for Android are vulnerable to an IDN homograph attack when displaying messages conta...
How severe is CVE-2019-9970?
CVE-2019-9970 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-9970?
Check the references section above for vendor advisories and patch information. Affected products include: Signal Private Messenger, Signal Signal-Desktop.