CVE-2018-17780

Telegram Desktop (aka tdesktop) 1.3.14, and Telegram 3.3.0.0 WP8.1 on Windows, leaks end-user public and private IP addresses during a call because of an unsafe default behavior in which P2P connections are accepted from clients outside of the My Contacts list.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.5 MEDIUM
NETWORK
LOW
LOW
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 57%
VendorProductVersion
telegramtelegram_desktop
1.3.14
telegramtelegram_messenger
3.3.0.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
telegram-desktop
bullseye
3.1.1+ds-1~deb11u2
fixed
bookworm
4.6.5+ds-2
fixed
sid
4.14.9+ds-1.1
fixed
trixie
4.14.9+ds-1.1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
telegram-desktop
noble
dne
mantic
dne
lunar
dne
kinetic
ignored
jammy
needed
impish
ignored
hirsute
ignored
groovy
ignored
focal
needed
eoan
ignored
disco
ignored
cosmic
ignored
bionic
needed
xenial
dne
trusty
dne
Common Weakness Enumeration
References
http://www.securityfocus.com/bid/105521
https://www.inputzero.io/2018/09/bug-bounty-telegram-cve-2018-17780.html
http://www.securityfocus.com/bid/105521
https://www.inputzero.io/2018/09/bug-bounty-telegram-cve-2018-17780.html