CVE-2022-28345
First published: Fri Apr 15 2022(Updated: )
The Signal app before 5.34 for iOS allows URI spoofing via RTLO injection. It incorrectly renders RTLO encoded URLs beginning with a non-breaking space, when there is a hash character in the URL. This technique allows a remote unauthenticated attacker to send legitimate looking links, appearing to be any website URL, by abusing the non-http/non-https automatic rendering of URLs. An attacker can spoof, for example, example.com, and masquerade any URL with a malicious destination. An attacker requires a subdomain such as gepj, txt, fdp, or xcod, which would appear backwards as jpeg, txt, pdf, and docx respectively.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Signal Signal | <5.34 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2022-28345?
CVE-2022-28345 is a vulnerability in the Signal app before version 5.34 for iOS that allows URI spoofing via RTLO injection.
How severe is CVE-2022-28345?
CVE-2022-28345 has a severity rating of 7.5, which is considered high.
How does CVE-2022-28345 work?
CVE-2022-28345 incorrectly renders RTLO encoded URLs beginning with a non-breaking space when there is a hash character in the URL, allowing a remote unauthenticated attacker to send legitimate-looking links.
What is the affected software of CVE-2022-28345?
The affected software is Signal app for iOS versions before 5.34.
Is there a fix for CVE-2022-28345?
Yes, updating Signal app to version 5.34 or later fixes the CVE-2022-28345 vulnerability.
- collector/nvd-index
- agent/references
- agent/weakness
- agent/tags
- agent/type
- agent/description
- agent/event
- agent/softwarecombine
- agent/first-publish-date
- vendor/signal
- canonical/signal signal