CVE Vulnerability

CVE-2022-45195

SimpleXMQ before 3.4.0, as used in SimpleX Chat before 4.2, does not apply a key derivation function to intended data, which can interfere with forward secrecy and can have other impacts if there is a compromise of a single private key. This occurs in the X3DH key exchange for the double ratchet protocol.

5.3 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.6 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://simplex.chat/blog/20221108-simplex-chat-v4.2-security-audit-new-website.html Release Notes Vendor Advisory
https://github.com/simplex-chat/simplexmq/pull/548 Patch Third Party Advisory
https://github.com/trailofbits/publications/blob/master/reviews/SimpleXChat.pdf Exploit Technical Description
https://github.com/simplex-chat/simplexmq/compare/v3.3.0...v3.4.0 Release Notes Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:simplex:simplex_chat:*:*:*:*:*:*:*:*
cpe:2.3:a:simplex:simplexmq:*:*:*:*:*:*:*:*
Information

Published : 2022-11-12 07:15

Updated : 2022-11-17 05:06

NVD link : CVE-2022-45195

Mitre link : CVE-2022-45195

Products Affected
No products.
CWE
CWE-327