CVE-2023-24068 — HIGH (7.8)

Q: How severe is CVE-2023-24068?

CVE-2023-24068 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2023-24068?

Check the references section above for vendor advisories and patch information. Affected products include: Signal Signal-Desktop, Apple Macos, Linux Linux Kernel, Microsoft Windows.

Vulnerability Description

Signal Desktop before 6.2.0 on Windows, Linux, and macOS allows an attacker to modify conversation attachments within the attachments.noindex directory. Client mechanisms fail to validate modifications of existing cached files, resulting in an attacker's ability to insert malicious code into pre-existing attachments or replace them completely. A threat actor can forward the existing attachment in the corresponding conversation to external groups, and the name and size of the file will not change, allowing the malware to masquerade as another file. NOTE: the vendor disputes the relevance of this finding because the product is not intended to protect against adversaries with this degree of local access.

CVSS Score

7.8

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Signal	Signal-Desktop	<= 6.2.0
Apple	Macos	-
Linux	Linux Kernel	-
Microsoft	Windows	-

References

https://johnjhacking.com/blog/cve-2023-24068-cve-2023-24069/ExploitThird Party Advisory
https://signal.org/download/linuxVendor Advisory
https://signal.org/download/macosVendor Advisory
https://signal.org/en/download/windowsVendor Advisory
https://johnjhacking.com/blog/cve-2023-24068-cve-2023-24069/ExploitThird Party Advisory
https://signal.org/download/linuxVendor Advisory
https://signal.org/download/macosVendor Advisory
https://signal.org/en/download/windowsVendor Advisory

FAQ

What is CVE-2023-24068?

CVE-2023-24068 is a vulnerability with a CVSS score of 7.8 (HIGH). Signal Desktop before 6.2.0 on Windows, Linux, and macOS allows an attacker to modify conversation attachments within the attachments.noindex directory. Client mechanisms fail to validate modification...

How severe is CVE-2023-24068?

CVE-2023-24068 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-24068?

Check the references section above for vendor advisories and patch information. Affected products include: Signal Signal-Desktop, Apple Macos, Linux Linux Kernel, Microsoft Windows.