SimpleXMQ before 3.4.0, as used in SimpleX Chat before 4.2, does not apply a key derivation function to intended data, which can interfere with forward secrecy and can have other impacts if there is a compromise of a single private key. This occurs in the X3DH key exchange for the double ratchet protocol.
References
Link | Resource |
---|---|
https://github.com/simplex-chat/simplexmq/compare/v3.3.0...v3.4.0 | Release Notes Third Party Advisory |
https://github.com/simplex-chat/simplexmq/pull/548 | Patch Third Party Advisory |
https://github.com/trailofbits/publications/blob/master/reviews/SimpleXChat.pdf | Exploit Technical Description Third Party Advisory |
https://simplex.chat/blog/20221108-simplex-chat-v4.2-security-audit-new-website.html | Release Notes Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
17 Nov 2022, 17:06
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://github.com/simplex-chat/simplexmq/compare/v3.3.0...v3.4.0 - Release Notes, Third Party Advisory | |
References | (MISC) https://github.com/simplex-chat/simplexmq/pull/548 - Patch, Third Party Advisory | |
References | (MISC) https://github.com/trailofbits/publications/blob/master/reviews/SimpleXChat.pdf - Exploit, Technical Description, Third Party Advisory | |
References | (MISC) https://simplex.chat/blog/20221108-simplex-chat-v4.2-security-audit-new-website.html - Release Notes, Vendor Advisory | |
CPE | cpe:2.3:a:simplex:simplexmq:*:*:*:*:*:*:*:* cpe:2.3:a:simplex:simplex_chat:*:*:*:*:*:*:*:* |
|
CWE | CWE-327 | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.3 |
First Time |
Simplex simplex Chat
Simplex Simplex simplexmq |
12 Nov 2022, 19:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-11-12 19:15
Updated : 2023-12-10 14:35
NVD link : CVE-2022-45195
Mitre link : CVE-2022-45195
CVE.ORG link : CVE-2022-45195
JSON object : View
Products Affected
simplex
- simplexmq
- simplex_chat
CWE
CWE-327
Use of a Broken or Risky Cryptographic Algorithm