Description
### Background
Telegram is a cloud-based mobile and desktop messaging app with a focus on security and speed.
### Description
It was discovered that Telegram failed to invalidate a recently active session.
### Impact
Please review the referenced CVE identifiers for details.
### Workaround
There is no known workaround at this time.
### Resolution
All Telegram users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-im/telegram-desktop-2.4.11"
All Telegram binary users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose
">=net-im/telegram-desktop-bin-2.4.11"
Affected Package
Related
{"id": "GLSA-202105-07", "vendorId": null, "type": "gentoo", "bulletinFamily": "unix", "title": "Telegram: Security bypass", "description": "### Background\n\nTelegram is a cloud-based mobile and desktop messaging app with a focus on security and speed. \n\n### Description\n\nIt was discovered that Telegram failed to invalidate a recently active session. \n\n### Impact\n\nPlease review the referenced CVE identifiers for details.\n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Telegram users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-im/telegram-desktop-2.4.11\"\n \n\nAll Telegram binary users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose\n \">=net-im/telegram-desktop-bin-2.4.11\"", "published": "2021-05-26T00:00:00", "modified": "2021-05-26T00:00:00", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4}, "href": "https://security.gentoo.org/glsa/202105-07", "reporter": "Gentoo Foundation", "references": [], "cvelist": ["CVE-2021-27351"], "immutableFields": [], "lastseen": "2022-01-17T18:59:25", "viewCount": 24, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-27351"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2021-27351"]}, {"type": "nessus", "idList": ["GENTOO_GLSA-202105-07.NASL"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2021-27351"]}], "rev": 4}, "score": {"value": 5.5, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2021-27351"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2021-27351"]}, {"type": "nessus", "idList": ["GENTOO_GLSA-202105-07.NASL"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2021-27351"]}]}, "exploitation": null, "vulnersScore": 5.5}, "affectedPackage": [{"OS": "Gentoo", "OSVersion": "any", "arch": "all", "packageFilename": "UNKNOWN", "packageVersion": "2.4.11", "operator": "lt", "packageName": "net-im/telegram-desktop"}, {"OS": "Gentoo", "OSVersion": "any", "arch": "all", "packageFilename": "UNKNOWN", "packageVersion": "2.4.11", "operator": "lt", "packageName": "net-im/telegram-desktop-bin"}], "_state": {"dependencies": 1646078962}}
{"nessus": [{"lastseen": "2021-08-19T12:01:05", "description": "The remote host is affected by the vulnerability described in GLSA-202105-07 (Telegram: Security bypass)\n\n It was discovered that Telegram failed to invalidate a recently active session.\n Impact :\n\n Please review the referenced CVE identifiers for details.\n Workaround :\n\n There is no known workaround at this time.", "cvss3": {"score": 5.3, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}, "published": "2021-05-27T00:00:00", "type": "nessus", "title": "GLSA-202105-07 : Telegram: Security bypass", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-27351"], "modified": "2021-06-01T00:00:00", "cpe": ["p-cpe:/a:gentoo:linux:telegram-desktop", "p-cpe:/a:gentoo:linux:telegram-desktop-bin", "cpe:/o:gentoo:linux"], "id": "GENTOO_GLSA-202105-07.NASL", "href": "https://www.tenable.com/plugins/nessus/150025", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 202105-07.\n#\n# The advisory text is Copyright (C) 2001-2021 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(150025);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/06/01\");\n\n script_cve_id(\"CVE-2021-27351\");\n script_xref(name:\"GLSA\", value:\"202105-07\");\n\n script_name(english:\"GLSA-202105-07 : Telegram: Security bypass\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote host is affected by the vulnerability described in GLSA-202105-07\n(Telegram: Security bypass)\n\n It was discovered that Telegram failed to invalidate a recently active\n session.\n \nImpact :\n\n Please review the referenced CVE identifiers for details.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/202105-07\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"All Telegram users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=net-im/telegram-desktop-2.4.11'\n All Telegram binary users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose\n '>=net-im/telegram-desktop-bin-2.4.11'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:telegram-desktop\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:telegram-desktop-bin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/05/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/05/27\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"net-im/telegram-desktop\", unaffected:make_list(\"ge 2.4.11\"), vulnerable:make_list(\"lt 2.4.11\"))) flag++;\nif (qpkg_check(package:\"net-im/telegram-desktop-bin\", unaffected:make_list(\"ge 2.4.11\"), vulnerable:make_list(\"lt 2.4.11\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Telegram\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "ubuntucve": [{"lastseen": "2022-01-21T20:21:48", "description": "The Terminate Session feature in the Telegram application through 7.2.1 for\nAndroid, and through 2.4.7 for Windows and UNIX, fails to invalidate a\nrecently active session.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 5.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 1.4}, "published": "2021-02-19T00:00:00", "type": "ubuntucve", "title": "CVE-2021-27351", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27351"], "modified": "2021-02-19T00:00:00", "id": "UB:CVE-2021-27351", "href": "https://ubuntu.com/security/CVE-2021-27351", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "debiancve": [{"lastseen": "2022-07-04T06:02:40", "description": "The Terminate Session feature in the Telegram application through 7.2.1 for Android, and through 2.4.7 for Windows and UNIX, fails to invalidate a recently active session.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2021-02-19T19:15:00", "type": "debiancve", "title": "CVE-2021-27351", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27351"], "modified": "2021-02-19T19:15:00", "id": "DEBIANCVE:CVE-2021-27351", "href": "https://security-tracker.debian.org/tracker/CVE-2021-27351", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "cve": [{"lastseen": "2022-05-24T00:49:12", "description": "The Terminate Session feature in the Telegram application through 7.2.1 for Android, and through 2.4.7 for Windows and UNIX, fails to invalidate a recently active session.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2021-02-19T19:15:00", "type": "cve", "title": "CVE-2021-27351", "cwe": ["CWE-613"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27351"], "modified": "2022-05-23T22:18:00", "cpe": ["cpe:/a:telegram:telegram:2.4.7", "cpe:/a:telegram:telegram:7.2.1"], "id": "CVE-2021-27351", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-27351", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:telegram:telegram:7.2.1:*:*:*:*:android:*:*", "cpe:2.3:a:telegram:telegram:2.4.7:*:*:*:*:windows:*:*", "cpe:2.3:a:telegram:telegram:2.4.7:*:*:*:*:unix:*:*"]}]}
Telegram: Security bypass
