CVE-2018-17780

EUVD-2018-9527
Telegram Desktop (aka tdesktop) 1.3.14, and Telegram 3.3.0.0 WP8.1 on Windows, leaks end-user public and private IP addresses during a call because of an unsafe default behavior in which P2P connections are accepted from clients outside of the My Contacts list.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.5 MEDIUM
NETWORK
LOW
LOW
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 58%
Affected Products (NVD)
VendorProductVersion
telegramtelegram_desktop
1.3.14
telegramtelegram_messenger
3.3.0.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
telegram-desktop
bookworm
4.6.5+ds-2
fixed
bullseye
3.1.1+ds-1~deb11u2
fixed
sid
4.14.9+ds-1.1
fixed
trixie
4.14.9+ds-1.1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
telegram-desktop
bionic
needed
cosmic
ignored
disco
ignored
eoan
ignored
focal
needed
groovy
ignored
hirsute
ignored
impish
ignored
jammy
needed
kinetic
ignored
lunar
dne
mantic
dne
noble
dne
trusty
dne
xenial
dne
Common Weakness Enumeration
References
http://www.securityfocus.com/bid/105521
https://www.inputzero.io/2018/09/bug-bounty-telegram-cve-2018-17780.html
http://www.securityfocus.com/bid/105521
https://www.inputzero.io/2018/09/bug-bounty-telegram-cve-2018-17780.html