CVE-2017-5603 Jitsi CVE debrief

Who should care

Jitsi administrators, helpdesk teams, and users of Jitsi 2.5.5061 through 2.9.5544 should care. Any environment that relies on chat identity for trust decisions, approvals, or incident response should treat this as a spoofing and impersonation risk.

Technical summary

The NVD record describes a network-reachable issue with no privileges and no user interaction required, but with high attack complexity. The flaw is an incorrect implementation of XEP-0280 Message Carbons that can let an attacker influence how message origin is presented in the client UI. NVD maps the issue to integrity impact only (CVSS v3.0 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N) and lists CWE-20 and CWE-346.

Defensive priority

Medium. The main impact is message impersonation and trust abuse, which can support phishing or fraud inside chat workflows, but the CVE does not indicate confidentiality or availability impact.

Recommended defensive actions

• Confirm whether any Jitsi deployments are within the affected range 2.5.5061-2.9.5544.
• Upgrade to a Jitsi release that is outside the affected range or otherwise contains the vendor fix.
• If you maintain a custom build, review the referenced Jitsi patch commit and ensure the Message Carbons handling matches the intended validation behavior.
• Treat unexpected identity changes in chat as a security signal; reinforce out-of-band verification for approvals, credential requests, and other trust-sensitive messages.

Evidence notes

The CVE description states that an incorrect implementation of XEP-0280 Message Carbons can allow a remote attacker to impersonate users in the application's display, enabling social engineering. The NVD record identifies affected Jitsi versions 2.5.5061 through 2.9.5544 and assigns CVSS v3.0 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N with CWE-20 and CWE-346. The source references include a Jitsi patch commit and contemporaneous advisories discussing the issue.

Official resources