Search criteria
41 vulnerabilities found for wire by wire
VAR-202211-1308
Vulnerability from variot - Updated: 2023-12-18 13:50Wire through 3.22.3993 on Windows advertises deletion of sent messages; nonetheless, all messages can be retrieved (for a limited period of time) from the AppData\Roaming\Wire\IndexedDB\https_app.wire.com_0.indexeddb.leveldb database. Wire Swiss GmbH of Windows for wire-server Contains a vulnerability related to information leakage from log files.Information may be obtained
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202211-1308",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "wire",
"scope": "lte",
"trust": 1.0,
"vendor": "wire",
"version": "3.22.3993"
},
{
"model": "wire-server",
"scope": null,
"trust": 0.8,
"vendor": "wire swiss",
"version": null
},
{
"model": "wire-server",
"scope": "eq",
"trust": 0.8,
"vendor": "wire swiss",
"version": null
},
{
"model": "wire-server",
"scope": "lte",
"trust": 0.8,
"vendor": "wire swiss",
"version": "3.22.3993 and earlier"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-021453"
},
{
"db": "NVD",
"id": "CVE-2022-43673"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:wire:wire:*:*:*:*:*:windows:*:*",
"cpe_name": [],
"versionEndIncluding": "3.22.3993",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2022-43673"
}
]
},
"cve": "CVE-2022-43673",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [],
"cvssV3": [
{
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 1.0,
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
{
"attackComplexity": "High",
"attackVector": "Local",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 4.7,
"baseSeverity": "Medium",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2022-43673",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "Low",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2022-43673",
"trust": 1.8,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-202211-3056",
"trust": 0.6,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-021453"
},
{
"db": "NVD",
"id": "CVE-2022-43673"
},
{
"db": "CNNVD",
"id": "CNNVD-202211-3056"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Wire through 3.22.3993 on Windows advertises deletion of sent messages; nonetheless, all messages can be retrieved (for a limited period of time) from the AppData\\Roaming\\Wire\\IndexedDB\\https_app.wire.com_0.indexeddb.leveldb database. Wire Swiss GmbH of Windows for wire-server Contains a vulnerability related to information leakage from log files.Information may be obtained",
"sources": [
{
"db": "NVD",
"id": "CVE-2022-43673"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-021453"
}
],
"trust": 1.62
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2022-43673",
"trust": 3.2
},
{
"db": "JVNDB",
"id": "JVNDB-2022-021453",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-202211-3056",
"trust": 0.6
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-021453"
},
{
"db": "NVD",
"id": "CVE-2022-43673"
},
{
"db": "CNNVD",
"id": "CNNVD-202211-3056"
}
]
},
"id": "VAR-202211-1308",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.29166666
},
"last_update_date": "2023-12-18T13:50:47.441000Z",
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-532",
"trust": 1.0
},
{
"problemtype": "Information leakage from log files (CWE-532) [NVD evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-021453"
},
{
"db": "NVD",
"id": "CVE-2022-43673"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.4,
"url": "https://wire.com/"
},
{
"trust": 2.4,
"url": "https://www.secuvera.de/advisories/secuvera-sa-2022-01.txt"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-43673"
},
{
"trust": 0.6,
"url": "https://cxsecurity.com/cveshow/cve-2022-43673/"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-021453"
},
{
"db": "NVD",
"id": "CVE-2022-43673"
},
{
"db": "CNNVD",
"id": "CNNVD-202211-3056"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "JVNDB",
"id": "JVNDB-2022-021453"
},
{
"db": "NVD",
"id": "CVE-2022-43673"
},
{
"db": "CNNVD",
"id": "CNNVD-202211-3056"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-11-10T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2022-021453"
},
{
"date": "2022-11-18T20:15:10.193000",
"db": "NVD",
"id": "CVE-2022-43673"
},
{
"date": "2022-11-18T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202211-3056"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-11-10T08:16:00",
"db": "JVNDB",
"id": "JVNDB-2022-021453"
},
{
"date": "2022-11-23T18:21:48.317000",
"db": "NVD",
"id": "CVE-2022-43673"
},
{
"date": "2022-11-24T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202211-3056"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "local",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202211-3056"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Wire\u00a0Swiss\u00a0GmbH\u00a0 of \u00a0Windows\u00a0 for \u00a0wire-server\u00a0 Vulnerability regarding information leakage from log files in",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-021453"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "log information leak",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202211-3056"
}
],
"trust": 0.6
}
}
VAR-202301-1851
Vulnerability from variot - Updated: 2023-12-18 13:00wire-server provides back end services for Wire, a team communication and collaboration platform. Prior to version 2022-12-09, every member of a Conversation can remove a Bot from a Conversation due to a missing permissions check. Only Conversation admins should be able to remove Bots. Regular Conversations are not allowed to do so. The issue is fixed in wire-server 2022-12-09 and is already deployed on all Wire managed services. On-premise instances of wire-server need to be updated to 2022-12-09/Chart 4.29.0, so that their backends are no longer affected. There are no known workarounds. wire-server contains vulnerabilities related to insufficient permissions or improper handling of privileges, and vulnerabilities related to lack of authentication.Service operation interruption (DoS) It may be in a state
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202301-1851",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "wire",
"scope": "lt",
"trust": 1.0,
"vendor": "wire",
"version": "2022-12-09"
},
{
"model": "wire-server",
"scope": "eq",
"trust": 0.8,
"vendor": "wire swiss",
"version": "2022-12-09"
},
{
"model": "wire-server",
"scope": "eq",
"trust": 0.8,
"vendor": "wire swiss",
"version": null
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2023-003092"
},
{
"db": "NVD",
"id": "CVE-2023-22737"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:wire:wire:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "2022-12-09",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2023-22737"
}
]
},
"cve": "CVE-2023-22737",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 2.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "OTHER",
"availabilityImpact": "High",
"baseScore": 6.5,
"baseSeverity": "Medium",
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "JVNDB-2023-003092",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "Low",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2023-22737",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "security-advisories@github.com",
"id": "CVE-2023-22737",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "OTHER",
"id": "JVNDB-2023-003092",
"trust": 0.8,
"value": "Medium"
},
{
"author": "CNNVD",
"id": "CNNVD-202301-2277",
"trust": 0.6,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2023-003092"
},
{
"db": "NVD",
"id": "CVE-2023-22737"
},
{
"db": "NVD",
"id": "CVE-2023-22737"
},
{
"db": "CNNVD",
"id": "CNNVD-202301-2277"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "wire-server provides back end services for Wire, a team communication and collaboration platform. Prior to version 2022-12-09, every member of a Conversation can remove a Bot from a Conversation due to a missing permissions check. Only Conversation admins should be able to remove Bots. Regular Conversations are not allowed to do so. The issue is fixed in wire-server 2022-12-09 and is already deployed on all Wire managed services. On-premise instances of wire-server need to be updated to 2022-12-09/Chart 4.29.0, so that their backends are no longer affected. There are no known workarounds. wire-server contains vulnerabilities related to insufficient permissions or improper handling of privileges, and vulnerabilities related to lack of authentication.Service operation interruption (DoS) It may be in a state",
"sources": [
{
"db": "NVD",
"id": "CVE-2023-22737"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-003092"
},
{
"db": "VULMON",
"id": "CVE-2023-22737"
}
],
"trust": 1.71
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2023-22737",
"trust": 3.3
},
{
"db": "JVNDB",
"id": "JVNDB-2023-003092",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-202301-2277",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2023-22737",
"trust": 0.1
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2023-22737"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-003092"
},
{
"db": "NVD",
"id": "CVE-2023-22737"
},
{
"db": "CNNVD",
"id": "CNNVD-202301-2277"
}
]
},
"id": "VAR-202301-1851",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.29166666
},
"last_update_date": "2023-12-18T13:00:20.878000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "2022-12-09\u00a0(Chart\u00a0Release\u00a04.29.0) GitHub",
"trust": 0.8,
"url": "https://github.com/wireapp/wire-server/commit/494a6881f5895d4ed9e5d011455242be0d5e6223"
},
{
"title": "Wire Security vulnerabilities",
"trust": 0.6,
"url": "http://123.124.177.30/web/xxk/bdxqbyid.tag?id=222942"
},
{
"title": "",
"trust": 0.1,
"url": "https://github.com/live-hack-cve/cve-2023-22737 "
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2023-22737"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-003092"
},
{
"db": "CNNVD",
"id": "CNNVD-202301-2277"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-280",
"trust": 1.0
},
{
"problemtype": "CWE-862",
"trust": 1.0
},
{
"problemtype": "Insufficient permissions or improper handling of privileges (CWE-280) [ others ]",
"trust": 0.8
},
{
"problemtype": " Lack of authentication (CWE-862) [ others ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2023-003092"
},
{
"db": "NVD",
"id": "CVE-2023-22737"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.7,
"url": "https://github.com/wireapp/wire-server/commit/494a6881f5895d4ed9e5d011455242be0d5e6223"
},
{
"trust": 1.7,
"url": "https://github.com/wireapp/wire-server/releases/tag/v2022-12-09"
},
{
"trust": 1.7,
"url": "https://github.com/wireapp/wire-server/pull/2870"
},
{
"trust": 1.7,
"url": "https://github.com/wireapp/wire-server/security/advisories/ghsa-xmjc-c6w3-pcp4"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-22737"
},
{
"trust": 0.6,
"url": "https://cxsecurity.com/cveshow/cve-2023-22737/"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/280.html"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/862.html"
},
{
"trust": 0.1,
"url": "https://github.com/live-hack-cve/cve-2023-22737"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2023-22737"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-003092"
},
{
"db": "NVD",
"id": "CVE-2023-22737"
},
{
"db": "CNNVD",
"id": "CNNVD-202301-2277"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULMON",
"id": "CVE-2023-22737"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-003092"
},
{
"db": "NVD",
"id": "CVE-2023-22737"
},
{
"db": "CNNVD",
"id": "CNNVD-202301-2277"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-01-28T00:00:00",
"db": "VULMON",
"id": "CVE-2023-22737"
},
{
"date": "2023-08-31T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2023-003092"
},
{
"date": "2023-01-28T00:15:08.863000",
"db": "NVD",
"id": "CVE-2023-22737"
},
{
"date": "2023-01-28T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202301-2277"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-01-30T00:00:00",
"db": "VULMON",
"id": "CVE-2023-22737"
},
{
"date": "2023-08-31T05:22:00",
"db": "JVNDB",
"id": "JVNDB-2023-003092"
},
{
"date": "2023-02-08T17:41:31.743000",
"db": "NVD",
"id": "CVE-2023-22737"
},
{
"date": "2023-02-09T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202301-2277"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202301-2277"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "wire-server\u00a0 Insufficient Permissions or Improper Handling of Privileges Vulnerabilities in",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2023-003092"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "other",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202301-2277"
}
],
"trust": 0.6
}
}
FKIE_CVE-2023-22737
Vulnerability from fkie_nvd - Published: 2023-01-28 00:15 - Updated: 2024-11-21 07:45
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
wire-server provides back end services for Wire, a team communication and collaboration platform. Prior to version 2022-12-09, every member of a Conversation can remove a Bot from a Conversation due to a missing permissions check. Only Conversation admins should be able to remove Bots. Regular Conversations are not allowed to do so. The issue is fixed in wire-server 2022-12-09 and is already deployed on all Wire managed services. On-premise instances of wire-server need to be updated to 2022-12-09/Chart 4.29.0, so that their backends are no longer affected. There are no known workarounds.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wire:wire:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6B9F25B1-5AD0-4C54-B866-BABA35EA2586",
"versionEndExcluding": "2022-12-09",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "wire-server provides back end services for Wire, a team communication and collaboration platform. Prior to version 2022-12-09, every member of a Conversation can remove a Bot from a Conversation due to a missing permissions check. Only Conversation admins should be able to remove Bots. Regular Conversations are not allowed to do so. The issue is fixed in wire-server 2022-12-09 and is already deployed on all Wire managed services. On-premise instances of wire-server need to be updated to 2022-12-09/Chart 4.29.0, so that their backends are no longer affected. There are no known workarounds."
},
{
"lang": "es",
"value": "wire-server proporciona servicios back-end para Wire, una plataforma de colaboraci\u00f3n y comunicaci\u00f3n en equipo. Antes de la versi\u00f3n 2022-12-09, cada miembro de una conversaci\u00f3n pod\u00eda eliminar un Bot de una conversaci\u00f3n debido a una falta de verificaci\u00f3n de permisos. Solo los administradores de Conversaciones deber\u00edan poder eliminar Bots. No se permiten conversaciones regulares para hacerlo. El problema se solucion\u00f3 en Wire-server 2022-12-09 y ya est\u00e1 implementado en todos los servicios administrados por Wire. Las instancias locales del servidor de conexi\u00f3n deben actualizarse a 2022-12-09/Chart 4.29.0, para que sus backends ya no se vean afectados. No se conocen workarounds."
}
],
"id": "CVE-2023-22737",
"lastModified": "2024-11-21T07:45:19.600",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-01-28T00:15:08.863",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-server/commit/494a6881f5895d4ed9e5d011455242be0d5e6223"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-server/pull/2870"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-server/releases/tag/v2022-12-09"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-server/security/advisories/GHSA-xmjc-c6w3-pcp4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-server/commit/494a6881f5895d4ed9e5d011455242be0d5e6223"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-server/pull/2870"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-server/releases/tag/v2022-12-09"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-server/security/advisories/GHSA-xmjc-c6w3-pcp4"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-280"
},
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2022-43673
Vulnerability from fkie_nvd - Published: 2022-11-18 20:15 - Updated: 2025-04-30 14:15
Severity ?
4.7 (Medium) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
4.7 (Medium) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
4.7 (Medium) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
Wire through 3.22.3993 on Windows advertises deletion of sent messages; nonetheless, all messages can be retrieved (for a limited period of time) from the AppData\Roaming\Wire\IndexedDB\https_app.wire.com_0.indexeddb.leveldb database.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://wire.com/ | Product | |
| cve@mitre.org | https://www.secuvera.de/advisories/secuvera-SA-2022-01.txt | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wire.com/ | Product | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.secuvera.de/advisories/secuvera-SA-2022-01.txt | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wire:wire:*:*:*:*:*:windows:*:*",
"matchCriteriaId": "D38C5228-9745-40F1-8651-6609992C9547",
"versionEndIncluding": "3.22.3993",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Wire through 3.22.3993 on Windows advertises deletion of sent messages; nonetheless, all messages can be retrieved (for a limited period of time) from the AppData\\Roaming\\Wire\\IndexedDB\\https_app.wire.com_0.indexeddb.leveldb database."
},
{
"lang": "es",
"value": "La conexi\u00f3n hasta 3.22.3993 en Windows anuncia la eliminaci\u00f3n de mensajes enviados; no obstante, todos los mensajes se pueden recuperar (por un per\u00edodo de tiempo limitado) de la base de datos AppData\\Roaming\\Wire\\IndexedDB\\https_app.wire.com_0.indexeddb.leveldb."
}
],
"id": "CVE-2022-43673",
"lastModified": "2025-04-30T14:15:26.123",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.0,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.0,
"impactScore": 3.6,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2022-11-18T20:15:10.193",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://wire.com/"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.secuvera.de/advisories/secuvera-SA-2022-01.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://wire.com/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.secuvera.de/advisories/secuvera-SA-2022-01.txt"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-532"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-532"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2022-31009
Vulnerability from fkie_nvd - Published: 2022-06-23 07:15 - Updated: 2024-11-21 07:03
Severity ?
5.7 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
wire-ios is an iOS client for the Wire secure messaging application. Invalid accent colors of Wire communication partners may render the iOS Wire Client partially unusable by causing it to crash multiple times on launch. These invalid accent colors can be used by and sent between Wire users. The root cause was an unnecessary assert statement when converting an integer value into the corresponding enum value, causing an exception instead of a fallback to a default value. This issue is fixed in [wire-ios](https://github.com/wireapp/wire-ios/commit/caa0e27dbe51f9edfda8c7a9f017d93b8cfddefb) and in Wire for iOS 3.100. There is no workaround available, but users may use other Wire clients (such as the [web app](https://app.wire.com)) to continue using Wire, or upgrade their client.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wire:wire:*:*:*:*:*:iphone_os:*:*",
"matchCriteriaId": "EE5B3BFC-EC98-48AF-A866-2E3E463AAC7F",
"versionEndExcluding": "3.100",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "wire-ios is an iOS client for the Wire secure messaging application. Invalid accent colors of Wire communication partners may render the iOS Wire Client partially unusable by causing it to crash multiple times on launch. These invalid accent colors can be used by and sent between Wire users. The root cause was an unnecessary assert statement when converting an integer value into the corresponding enum value, causing an exception instead of a fallback to a default value. This issue is fixed in [wire-ios](https://github.com/wireapp/wire-ios/commit/caa0e27dbe51f9edfda8c7a9f017d93b8cfddefb) and in Wire for iOS 3.100. There is no workaround available, but users may use other Wire clients (such as the [web app](https://app.wire.com)) to continue using Wire, or upgrade their client."
},
{
"lang": "es",
"value": "wire-ios es un cliente iOS para la aplicaci\u00f3n de mensajer\u00eda segura Wire. Los colores de acento no v\u00e1lidos de los interlocutores de comunicaci\u00f3n de Wire pueden hacer que el cliente de Wire para iOS sea parcialmente inusable al hacer que sea bloqueado varias veces al iniciarse. Estos colores de acento no v\u00e1lidos pueden ser usados por los usuarios de Wire y enviados entre ellos. La causa principal era una sentencia assert innecesaria al convertir un valor entero en el valor enum correspondiente, causando una excepci\u00f3n en lugar de un retorno a un valor por defecto. Este problema ha sido corregido en [wire-ios](https://github.com/wireapp/wire-ios/commit/caa0e27dbe51f9edfda8c7a9f017d93b8cfddefb) y en Wire para iOS versi\u00f3n 3.100. No se presenta ninguna mitigaci\u00f3n soluci\u00f3n disponible, pero los usuarios pueden usar otros clientes de Wire (como la [aplicaci\u00f3n web](https://app.wire.com)) para seguir usando Wire, o actualizar su cliente"
}
],
"id": "CVE-2022-31009",
"lastModified": "2024-11-21T07:03:42.460",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-06-23T07:15:07.257",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-ios/commit/caa0e27dbe51f9edfda8c7a9f017d93b8cfddefb"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-83m6-p7x5-925j"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-ios/commit/caa0e27dbe51f9edfda8c7a9f017d93b8cfddefb"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-83m6-p7x5-925j"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-617"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2022-23625
Vulnerability from fkie_nvd - Published: 2022-03-11 18:15 - Updated: 2024-11-21 06:48
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
Wire-ios is a messaging application using the wire protocol on apple's ios platform. In versions prior to 3.95 malformed resource identifiers may render the iOS Wire Client completely unusable by causing it to repeatedly crash on launch. These malformed resource identifiers can be generated and sent between Wire users. The root cause lies in [wireapp/wire-ios-transport](https://github.com/wireapp/wire-ios-transport), where code responsible for removing sensible tokens before logging may fail and lead to a crash (Swift exception) of the application. This causes undesirable behavior, however the (greater) Wire system is still functional. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wire | wire | * | |
| wire | wire-ios-transport | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wire:wire:*:*:*:*:*:iphone_os:*:*",
"matchCriteriaId": "8676CA54-328C-4C00-8EF8-DD54BF8712E2",
"versionEndExcluding": "3.95",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wire:wire-ios-transport:*:*:*:*:*:iphone_os:*:*",
"matchCriteriaId": "4D57B655-B6AF-481B-8B58-425F1561722D",
"versionEndExcluding": "84.1.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Wire-ios is a messaging application using the wire protocol on apple\u0027s ios platform. In versions prior to 3.95 malformed resource identifiers may render the iOS Wire Client completely unusable by causing it to repeatedly crash on launch. These malformed resource identifiers can be generated and sent between Wire users. The root cause lies in [wireapp/wire-ios-transport](https://github.com/wireapp/wire-ios-transport), where code responsible for removing sensible tokens before logging may fail and lead to a crash (Swift exception) of the application. This causes undesirable behavior, however the (greater) Wire system is still functional. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue."
},
{
"lang": "es",
"value": "Wire-ios es una aplicaci\u00f3n de mensajer\u00eda que usando el protocolo wire en la plataforma ios de apple. En versiones anteriores a 3.95, los identificadores de recursos malformados pueden hacer que el cliente Wire de iOS sea completamente inusable al causar que sea bloqueado repetidamente al iniciarse. Estos identificadores de recursos malformados pueden ser generados y enviados entre usuarios de Wire. La causa root es encontrada en [wireapp/wire-ios-transport](https://github.com/wireapp/wire-ios-transport), donde el c\u00f3digo responsable de eliminar los tokens confidenciales antes del registro puede fallar y conllevar a un fallo (excepci\u00f3n Swift) de la aplicaci\u00f3n. Esto causa un comportamiento no deseable, sin embargo el sistema Wire (mayor) sigue siendo funcional. Es recomendado a usuarios actualizar lo antes posible. No se presentan medidas de mitigaci\u00f3n conocidas para este problema"
}
],
"id": "CVE-2022-23625",
"lastModified": "2024-11-21T06:48:57.743",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-03-11T18:15:31.493",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-ios-transport/commit/02e90aa45edaf7eb2d8b97fa2377cd8104274170"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-ios-transport/security/advisories/GHSA-3xvh-x964-572h"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-rq36-8qfp-79mc"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-ios-transport/commit/02e90aa45edaf7eb2d8b97fa2377cd8104274170"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-ios-transport/security/advisories/GHSA-3xvh-x964-572h"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-rq36-8qfp-79mc"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-755"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-755"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2021-41094
Vulnerability from fkie_nvd - Published: 2021-10-04 19:15 - Updated: 2024-11-21 06:25
Severity ?
4.2 (Medium) - CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N
4.6 (Medium) - CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.6 (Medium) - CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Wire is an open source secure messenger. Users of Wire by Bund may bypass the mandatory encryption at rest feature by simply disabling their device passcode. Upon launching, the app will attempt to enable encryption at rest by generating encryption keys via the Secure Enclave, however it will fail silently if no device passcode is set. The user has no indication that encryption at rest is not active since the feature is hidden to them. This issue has been resolved in version 3.70
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wire:wire:*:*:*:*:*:iphone_os:*:*",
"matchCriteriaId": "406E9C9E-C863-4786-8E78-BA2DDE01FAAE",
"versionEndExcluding": "3.70",
"versionStartIncluding": "3.68",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Wire is an open source secure messenger. Users of Wire by Bund may bypass the mandatory encryption at rest feature by simply disabling their device passcode. Upon launching, the app will attempt to enable encryption at rest by generating encryption keys via the Secure Enclave, however it will fail silently if no device passcode is set. The user has no indication that encryption at rest is not active since the feature is hidden to them. This issue has been resolved in version 3.70"
},
{
"lang": "es",
"value": "Wire es una mensajer\u00eda segura de c\u00f3digo abierto. Los usuarios de Wire by Bund pueden omitir la funcionalidad mandatory encryption at rest simplemente deshabilitando el c\u00f3digo de acceso de su dispositivo. Al iniciarse, la aplicaci\u00f3n intentar\u00e1 habilitar el cifrado en reposo al generar claves de cifrado por medio del Enclave Seguro, pero fallar\u00e1 silenciosamente si no se ha establecido un c\u00f3digo de acceso en el dispositivo. El usuario no presenta ninguna indicaci\u00f3n de que el cifrado en reposo no est\u00e1 activo, ya que la funcionalidad est\u00e1 oculta para \u00e9l. Este problema ha sido resuelto en la versi\u00f3n 3.70"
}
],
"id": "CVE-2021-41094",
"lastModified": "2024-11-21T06:25:27.123",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 2.1,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 0.6,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 0.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-10-04T19:15:08.377",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-ios/commit/5ba3eb180efc3fc795d095f9c84ae7f109b84746"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-h4m7-pr8h-j7rf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-ios/commit/5ba3eb180efc3fc795d095f9c84ae7f109b84746"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-h4m7-pr8h-j7rf"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-668"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2021-41093
Vulnerability from fkie_nvd - Published: 2021-10-04 19:15 - Updated: 2024-11-21 06:25
Severity ?
7.4 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Wire is an open source secure messenger. In affected versions if the an attacker gets an old but valid access token they can take over an account by changing the email. This issue has been resolved in version 3.86 which uses a new endpoint which additionally requires an authentication cookie. See wire-ios-sync-engine and wire-ios-transport references. This is the root advisory that pulls the changes together.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wire:wire:*:*:*:*:*:iphone_os:*:*",
"matchCriteriaId": "3CFFCDE1-A356-44F0-8BBB-2A1E6681620C",
"versionEndExcluding": "3.86",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Wire is an open source secure messenger. In affected versions if the an attacker gets an old but valid access token they can take over an account by changing the email. This issue has been resolved in version 3.86 which uses a new endpoint which additionally requires an authentication cookie. See wire-ios-sync-engine and wire-ios-transport references. This is the root advisory that pulls the changes together."
},
{
"lang": "es",
"value": "Wire es una mensajer\u00eda segura de c\u00f3digo abierto. En las versiones afectadas, si un atacante consigue un token de acceso antiguo pero v\u00e1lido, puede hacerse con una cuenta al cambiar el correo electr\u00f3nico. Este problema ha sido resuelto en la versi\u00f3n 3.86, que usa un nuevo endpoint que requiere adicionalmente una cookie de autenticaci\u00f3n. Ver las referencias wire-ios-sync-engine y wire-ios-transport. Este es el aviso root que re\u00fane los cambios"
}
],
"id": "CVE-2021-41093",
"lastModified": "2024-11-21T06:25:26.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 5.2,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-10-04T19:15:08.203",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Broken Link"
],
"url": "https://github.com/wireapp/wire-ios-sync-engine/security/advisories/GHSA-w727-5f74-49xj"
},
{
"source": "security-advisories@github.com",
"tags": [
"Broken Link"
],
"url": "https://github.com/wireapp/wire-ios-transport/security/advisories/GHSA-p354-6r3m-g4xr"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-ios/commit/b0e7bb3b13dd8212032cb46e32edf701694687c7"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-6f4c-phfj-m255"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-server/security/advisories/GHSA-9rm2-w6pq-333m"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "https://github.com/wireapp/wire-ios-sync-engine/security/advisories/GHSA-w727-5f74-49xj"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "https://github.com/wireapp/wire-ios-transport/security/advisories/GHSA-p354-6r3m-g4xr"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-ios/commit/b0e7bb3b13dd8212032cb46e32edf701694687c7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-6f4c-phfj-m255"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-server/security/advisories/GHSA-9rm2-w6pq-333m"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-285"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2021-32755
Vulnerability from fkie_nvd - Published: 2021-07-13 21:15 - Updated: 2024-11-21 06:07
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Summary
Wire is a collaboration platform. wire-ios-transport handles authentication of requests, network failures, and retries for the iOS implementation of Wire. In the 3.82 version of the iOS application, a new web socket implementation was introduced for users running iOS 13 or higher. This new websocket implementation is not configured to enforce certificate pinning when available. Certificate pinning for the new websocket is enforced in version 3.84 or above.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wire:wire:*:*:*:*:*:*:*:*",
"matchCriteriaId": "68C9EF30-515C-4DD1-B2C8-0EF94CA78B9E",
"versionEndExcluding": "3.84",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FF8F6B65-EBEA-4C30-9908-14EF61559016",
"versionStartIncluding": "13.0",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Wire is a collaboration platform. wire-ios-transport handles authentication of requests, network failures, and retries for the iOS implementation of Wire. In the 3.82 version of the iOS application, a new web socket implementation was introduced for users running iOS 13 or higher. This new websocket implementation is not configured to enforce certificate pinning when available. Certificate pinning for the new websocket is enforced in version 3.84 or above."
},
{
"lang": "es",
"value": "Wire es una plataforma de colaboraci\u00f3n. wire-ios-transport maneja la autenticaci\u00f3n de peticiones, los fallos de red y los reintentos para la implementaci\u00f3n de Wire en iOS. En la versi\u00f3n 3.82 de la aplicaci\u00f3n iOS, se introdujo una nueva implementaci\u00f3n de websocket para los usuarios que ejecutan iOS versi\u00f3n 13 o superior. Esta nueva implementaci\u00f3n de websocket no est\u00e1 configurada para aplicar la fijaci\u00f3n de certificados cuando est\u00e1 disponible. La fijaci\u00f3n de certificados para el nuevo websocket se aplica en la versi\u00f3n 3.84 o superior"
}
],
"id": "CVE-2021-32755",
"lastModified": "2024-11-21T06:07:40.630",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-07-13T21:15:07.737",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-ios-transport/security/advisories/GHSA-v8mx-h3vj-w39v"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-ios-transport/security/advisories/GHSA-v8mx-h3vj-w39v"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-295"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-295"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2021-32666
Vulnerability from fkie_nvd - Published: 2021-06-03 22:15 - Updated: 2024-11-21 06:07
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
wire-ios is the iOS version of Wire, an open-source secure messaging app. In wire-ios versions 3.8.0 and prior, a vulnerability exists that can cause a denial of service between users. If a user has an invalid assetID for their profile picture and it contains the " character, it will cause the iOS client to crash. The vulnerability is patched in wire-ios version 3.8.1.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/wireapp/wire-ios-data-model/commit/35af3f632085f51a2ce7f608fdaeffd1a69ad89f | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/wireapp/wire-ios/security/advisories/GHSA-2x9x-vh27-h4rv | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/wireapp/wire-ios-data-model/commit/35af3f632085f51a2ce7f608fdaeffd1a69ad89f | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/wireapp/wire-ios/security/advisories/GHSA-2x9x-vh27-h4rv | Patch, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wire:wire:*:*:*:*:*:iphone_os:*:*",
"matchCriteriaId": "2DD070A1-55C9-4B0A-85F1-DA8C996520FE",
"versionEndExcluding": "3.81",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "wire-ios is the iOS version of Wire, an open-source secure messaging app. In wire-ios versions 3.8.0 and prior, a vulnerability exists that can cause a denial of service between users. If a user has an invalid assetID for their profile picture and it contains the \" character, it will cause the iOS client to crash. The vulnerability is patched in wire-ios version 3.8.1."
},
{
"lang": "es",
"value": "wire-ios es la versi\u00f3n para iOS de Wire, una aplicaci\u00f3n de mensajer\u00eda segura de c\u00f3digo abierto. En wire-ios, versiones 3.8.0 y anteriores se presenta una vulnerabilidad que puede causar una denegaci\u00f3n de servicio entre usuarios. Si un usuario tiene un assetID no v\u00e1lido para su foto de perfil y contiene el car\u00e1cter \", causar\u00e1 que el cliente de iOS se bloquee. La vulnerabilidad est\u00e1 parcheada en la versi\u00f3n 3.8.1 de wire-ios"
}
],
"id": "CVE-2021-32666",
"lastModified": "2024-11-21T06:07:29.430",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-06-03T22:15:08.067",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-ios-data-model/commit/35af3f632085f51a2ce7f608fdaeffd1a69ad89f"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-2x9x-vh27-h4rv"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-ios-data-model/commit/35af3f632085f51a2ce7f608fdaeffd1a69ad89f"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-2x9x-vh27-h4rv"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2021-32665
Vulnerability from fkie_nvd - Published: 2021-06-03 21:15 - Updated: 2024-11-21 06:07
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Summary
wire-ios is the iOS version of Wire, an open-source secure messaging app. wire-ios versions 3.8.0 and earlier have a bug in which a conversation could be incorrectly set to "unverified. This occurs when: - Self user is added to a new conversation - Self user is added to an existing conversation - All the participants in the conversation were previously marked as verified. The vulnerability is patched in wire-ios version 3.8.1. As a workaround, one can unverify & verify a device in the conversation.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/wireapp/wire-ios-data-model/commit/bf9db85886b12a20c8374f55b7c4a610e8ae9220 | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/wireapp/wire-ios/security/advisories/GHSA-mc65-7w99-c6qv | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/wireapp/wire-ios-data-model/commit/bf9db85886b12a20c8374f55b7c4a610e8ae9220 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/wireapp/wire-ios/security/advisories/GHSA-mc65-7w99-c6qv | Patch, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wire:wire:*:*:*:*:*:iphone_os:*:*",
"matchCriteriaId": "2DD070A1-55C9-4B0A-85F1-DA8C996520FE",
"versionEndExcluding": "3.81",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "wire-ios is the iOS version of Wire, an open-source secure messaging app. wire-ios versions 3.8.0 and earlier have a bug in which a conversation could be incorrectly set to \"unverified. This occurs when: - Self user is added to a new conversation - Self user is added to an existing conversation - All the participants in the conversation were previously marked as verified. The vulnerability is patched in wire-ios version 3.8.1. As a workaround, one can unverify \u0026 verify a device in the conversation."
},
{
"lang": "es",
"value": "wire-ios es la versi\u00f3n para iOS de Wire, una aplicaci\u00f3n de mensajer\u00eda segura de c\u00f3digo abierto. Las versiones 3.8.0 y anteriores de wire-ios tienen un bug en el que una conversaci\u00f3n podr\u00eda ser incorrectamente establecida como \"no verificada\". Esto ocurre cuando: - Se a\u00f1ade un usuario propio a una nueva conversaci\u00f3n - Es a\u00f1adido un usuario propio a una conversaci\u00f3n existente - Todos los participantes en la conversaci\u00f3n estaban previamente marcados como verificados. La vulnerabilidad est\u00e1 parcheada en wire-ios versi\u00f3n 3.8.1. Como soluci\u00f3n, se puede desverificar y verificar un dispositivo en la conversaci\u00f3n"
}
],
"id": "CVE-2021-32665",
"lastModified": "2024-11-21T06:07:29.323",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-06-03T21:15:07.997",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-ios-data-model/commit/bf9db85886b12a20c8374f55b7c4a610e8ae9220"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-mc65-7w99-c6qv"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-ios-data-model/commit/bf9db85886b12a20c8374f55b7c4a610e8ae9220"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-mc65-7w99-c6qv"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-345"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2021-21301
Vulnerability from fkie_nvd - Published: 2021-02-11 18:15 - Updated: 2024-11-21 05:47
Severity ?
2.6 (Low) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
Wire is an open-source collaboration platform. In Wire for iOS (iPhone and iPad) before version 3.75 there is a vulnerability where the video capture isn't stopped in a scenario where a user first has their camera enabled and then disables it. It's a privacy issue because video is streamed to the call when the user believes it is disabled. It impacts all users in video calls. This is fixed in version 3.75.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/wireapp/wire-ios/commit/7e3c30120066c9b10e50cc0d20012d0849c33a40 | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/wireapp/wire-ios/pull/4879 | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/wireapp/wire-ios/security/advisories/GHSA-7fg4-x8vj-qvxf | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/wireapp/wire-ios/commit/7e3c30120066c9b10e50cc0d20012d0849c33a40 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/wireapp/wire-ios/pull/4879 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/wireapp/wire-ios/security/advisories/GHSA-7fg4-x8vj-qvxf | Patch, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wire:wire:*:*:*:*:*:iphone_os:*:*",
"matchCriteriaId": "9D324BAB-15A4-4787-8EC0-8AE5F18C84A8",
"versionEndExcluding": "3.75",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Wire is an open-source collaboration platform. In Wire for iOS (iPhone and iPad) before version 3.75 there is a vulnerability where the video capture isn\u0027t stopped in a scenario where a user first has their camera enabled and then disables it. It\u0027s a privacy issue because video is streamed to the call when the user believes it is disabled. It impacts all users in video calls. This is fixed in version 3.75."
},
{
"lang": "es",
"value": "Wire es una plataforma de colaboraci\u00f3n de c\u00f3digo abierto.\u0026#xa0;En Wire para iOS (iPhone y iPad) anterior a versi\u00f3n 3.75, se presenta una vulnerabilidad en la que la captura de video no se detiene en un escenario en el que un usuario primero tiene su c\u00e1mara habilitada y luego la deshabilita.\u0026#xa0;Es un problema de privacidad porque el video se transmite a la llamada cuando el usuario cree que est\u00e1 deshabilitado.\u0026#xa0;Afecta a todos los usuarios en las videollamadas.\u0026#xa0;Esto se corrige en la versi\u00f3n 3.75"
}
],
"id": "CVE-2021-21301",
"lastModified": "2024-11-21T05:47:58.573",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.6,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-02-11T18:15:16.910",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-ios/commit/7e3c30120066c9b10e50cc0d20012d0849c33a40"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-ios/pull/4879"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-7fg4-x8vj-qvxf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-ios/commit/7e3c30120066c9b10e50cc0d20012d0849c33a40"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-ios/pull/4879"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-7fg4-x8vj-qvxf"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
CVE-2023-22737 (GCVE-0-2023-22737)
Vulnerability from cvelistv5 – Published: 2023-01-27 23:14 – Updated: 2025-03-10 21:18
VLAI?
Title
wire-server vulnerable to unauthorized removal of Bots from Conversations
Summary
wire-server provides back end services for Wire, a team communication and collaboration platform. Prior to version 2022-12-09, every member of a Conversation can remove a Bot from a Conversation due to a missing permissions check. Only Conversation admins should be able to remove Bots. Regular Conversations are not allowed to do so. The issue is fixed in wire-server 2022-12-09 and is already deployed on all Wire managed services. On-premise instances of wire-server need to be updated to 2022-12-09/Chart 4.29.0, so that their backends are no longer affected. There are no known workarounds.
Severity ?
6.5 (Medium)
CWE
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wireapp | wire-server |
Affected:
< 2022-12-09
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:20:30.226Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/wireapp/wire-server/security/advisories/GHSA-xmjc-c6w3-pcp4",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-server/security/advisories/GHSA-xmjc-c6w3-pcp4"
},
{
"name": "https://github.com/wireapp/wire-server/pull/2870",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-server/pull/2870"
},
{
"name": "https://github.com/wireapp/wire-server/commit/494a6881f5895d4ed9e5d011455242be0d5e6223",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-server/commit/494a6881f5895d4ed9e5d011455242be0d5e6223"
},
{
"name": "https://github.com/wireapp/wire-server/releases/tag/v2022-12-09",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-server/releases/tag/v2022-12-09"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-22737",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-10T20:59:01.422903Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-10T21:18:14.172Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "wire-server",
"vendor": "wireapp",
"versions": [
{
"status": "affected",
"version": "\u003c 2022-12-09"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "wire-server provides back end services for Wire, a team communication and collaboration platform. Prior to version 2022-12-09, every member of a Conversation can remove a Bot from a Conversation due to a missing permissions check. Only Conversation admins should be able to remove Bots. Regular Conversations are not allowed to do so. The issue is fixed in wire-server 2022-12-09 and is already deployed on all Wire managed services. On-premise instances of wire-server need to be updated to 2022-12-09/Chart 4.29.0, so that their backends are no longer affected. There are no known workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-280",
"description": "CWE-280: Improper Handling of Insufficient Permissions or Privileges ",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-27T23:14:33.913Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/wireapp/wire-server/security/advisories/GHSA-xmjc-c6w3-pcp4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/wireapp/wire-server/security/advisories/GHSA-xmjc-c6w3-pcp4"
},
{
"name": "https://github.com/wireapp/wire-server/pull/2870",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wireapp/wire-server/pull/2870"
},
{
"name": "https://github.com/wireapp/wire-server/commit/494a6881f5895d4ed9e5d011455242be0d5e6223",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wireapp/wire-server/commit/494a6881f5895d4ed9e5d011455242be0d5e6223"
},
{
"name": "https://github.com/wireapp/wire-server/releases/tag/v2022-12-09",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wireapp/wire-server/releases/tag/v2022-12-09"
}
],
"source": {
"advisory": "GHSA-xmjc-c6w3-pcp4",
"discovery": "UNKNOWN"
},
"title": "wire-server vulnerable to unauthorized removal of Bots from Conversations"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-22737",
"datePublished": "2023-01-27T23:14:33.913Z",
"dateReserved": "2023-01-06T14:21:05.892Z",
"dateUpdated": "2025-03-10T21:18:14.172Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-43673 (GCVE-0-2022-43673)
Vulnerability from cvelistv5 – Published: 2022-11-18 00:00 – Updated: 2025-04-30 13:54
VLAI?
Summary
Wire through 3.22.3993 on Windows advertises deletion of sent messages; nonetheless, all messages can be retrieved (for a limited period of time) from the AppData\Roaming\Wire\IndexedDB\https_app.wire.com_0.indexeddb.leveldb database.
Severity ?
4.7 (Medium)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:40:05.649Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://wire.com/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.secuvera.de/advisories/secuvera-SA-2022-01.txt"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-43673",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-30T13:53:17.843426Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532 Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-30T13:54:07.784Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Wire through 3.22.3993 on Windows advertises deletion of sent messages; nonetheless, all messages can be retrieved (for a limited period of time) from the AppData\\Roaming\\Wire\\IndexedDB\\https_app.wire.com_0.indexeddb.leveldb database."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-18T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://wire.com/"
},
{
"url": "https://www.secuvera.de/advisories/secuvera-SA-2022-01.txt"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-43673",
"datePublished": "2022-11-18T00:00:00.000Z",
"dateReserved": "2022-10-24T00:00:00.000Z",
"dateUpdated": "2025-04-30T13:54:07.784Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-31009 (GCVE-0-2022-31009)
Vulnerability from cvelistv5 – Published: 2022-06-23 06:40 – Updated: 2025-04-23 18:09
VLAI?
Title
DoS vulnerability: Invalid Accent Colors
Summary
wire-ios is an iOS client for the Wire secure messaging application. Invalid accent colors of Wire communication partners may render the iOS Wire Client partially unusable by causing it to crash multiple times on launch. These invalid accent colors can be used by and sent between Wire users. The root cause was an unnecessary assert statement when converting an integer value into the corresponding enum value, causing an exception instead of a fallback to a default value. This issue is fixed in [wire-ios](https://github.com/wireapp/wire-ios/commit/caa0e27dbe51f9edfda8c7a9f017d93b8cfddefb) and in Wire for iOS 3.100. There is no workaround available, but users may use other Wire clients (such as the [web app](https://app.wire.com)) to continue using Wire, or upgrade their client.
Severity ?
5.7 (Medium)
CWE
- CWE-617 - Reachable Assertion
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:03:40.199Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-83m6-p7x5-925j"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-ios/commit/caa0e27dbe51f9edfda8c7a9f017d93b8cfddefb"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-31009",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T14:04:59.569231Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T18:09:07.862Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "wire-ios",
"vendor": "wireapp",
"versions": [
{
"status": "affected",
"version": "\u003c 3.100"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "wire-ios is an iOS client for the Wire secure messaging application. Invalid accent colors of Wire communication partners may render the iOS Wire Client partially unusable by causing it to crash multiple times on launch. These invalid accent colors can be used by and sent between Wire users. The root cause was an unnecessary assert statement when converting an integer value into the corresponding enum value, causing an exception instead of a fallback to a default value. This issue is fixed in [wire-ios](https://github.com/wireapp/wire-ios/commit/caa0e27dbe51f9edfda8c7a9f017d93b8cfddefb) and in Wire for iOS 3.100. There is no workaround available, but users may use other Wire clients (such as the [web app](https://app.wire.com)) to continue using Wire, or upgrade their client."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-617",
"description": "CWE-617: Reachable Assertion",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-23T06:40:10.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-83m6-p7x5-925j"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wireapp/wire-ios/commit/caa0e27dbe51f9edfda8c7a9f017d93b8cfddefb"
}
],
"source": {
"advisory": "GHSA-83m6-p7x5-925j",
"discovery": "UNKNOWN"
},
"title": "DoS vulnerability: Invalid Accent Colors",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-31009",
"STATE": "PUBLIC",
"TITLE": "DoS vulnerability: Invalid Accent Colors"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "wire-ios",
"version": {
"version_data": [
{
"version_value": "\u003c 3.100"
}
]
}
}
]
},
"vendor_name": "wireapp"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "wire-ios is an iOS client for the Wire secure messaging application. Invalid accent colors of Wire communication partners may render the iOS Wire Client partially unusable by causing it to crash multiple times on launch. These invalid accent colors can be used by and sent between Wire users. The root cause was an unnecessary assert statement when converting an integer value into the corresponding enum value, causing an exception instead of a fallback to a default value. This issue is fixed in [wire-ios](https://github.com/wireapp/wire-ios/commit/caa0e27dbe51f9edfda8c7a9f017d93b8cfddefb) and in Wire for iOS 3.100. There is no workaround available, but users may use other Wire clients (such as the [web app](https://app.wire.com)) to continue using Wire, or upgrade their client."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-617: Reachable Assertion"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-83m6-p7x5-925j",
"refsource": "CONFIRM",
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-83m6-p7x5-925j"
},
{
"name": "https://github.com/wireapp/wire-ios/commit/caa0e27dbe51f9edfda8c7a9f017d93b8cfddefb",
"refsource": "MISC",
"url": "https://github.com/wireapp/wire-ios/commit/caa0e27dbe51f9edfda8c7a9f017d93b8cfddefb"
}
]
},
"source": {
"advisory": "GHSA-83m6-p7x5-925j",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-31009",
"datePublished": "2022-06-23T06:40:10.000Z",
"dateReserved": "2022-05-18T00:00:00.000Z",
"dateUpdated": "2025-04-23T18:09:07.862Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-23625 (GCVE-0-2022-23625)
Vulnerability from cvelistv5 – Published: 2022-03-11 18:00 – Updated: 2025-04-23 18:54
VLAI?
Title
DoS vulnerability: Malformed Resource Identifiers
Summary
Wire-ios is a messaging application using the wire protocol on apple's ios platform. In versions prior to 3.95 malformed resource identifiers may render the iOS Wire Client completely unusable by causing it to repeatedly crash on launch. These malformed resource identifiers can be generated and sent between Wire users. The root cause lies in [wireapp/wire-ios-transport](https://github.com/wireapp/wire-ios-transport), where code responsible for removing sensible tokens before logging may fail and lead to a crash (Swift exception) of the application. This causes undesirable behavior, however the (greater) Wire system is still functional. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue.
Severity ?
6.5 (Medium)
CWE
- CWE-755 - Improper Handling of Exceptional Conditions
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:51:45.474Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-rq36-8qfp-79mc"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-ios-transport/security/advisories/GHSA-3xvh-x964-572h"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-ios-transport/commit/02e90aa45edaf7eb2d8b97fa2377cd8104274170"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-23625",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T14:09:11.767474Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T18:54:35.233Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "wire-ios",
"vendor": "wireapp",
"versions": [
{
"status": "affected",
"version": "\u003c 3.95"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Wire-ios is a messaging application using the wire protocol on apple\u0027s ios platform. In versions prior to 3.95 malformed resource identifiers may render the iOS Wire Client completely unusable by causing it to repeatedly crash on launch. These malformed resource identifiers can be generated and sent between Wire users. The root cause lies in [wireapp/wire-ios-transport](https://github.com/wireapp/wire-ios-transport), where code responsible for removing sensible tokens before logging may fail and lead to a crash (Swift exception) of the application. This causes undesirable behavior, however the (greater) Wire system is still functional. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-755",
"description": "CWE-755: Improper Handling of Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-11T18:00:15.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-rq36-8qfp-79mc"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wireapp/wire-ios-transport/security/advisories/GHSA-3xvh-x964-572h"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wireapp/wire-ios-transport/commit/02e90aa45edaf7eb2d8b97fa2377cd8104274170"
}
],
"source": {
"advisory": "GHSA-rq36-8qfp-79mc",
"discovery": "UNKNOWN"
},
"title": "DoS vulnerability: Malformed Resource Identifiers",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-23625",
"STATE": "PUBLIC",
"TITLE": "DoS vulnerability: Malformed Resource Identifiers"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "wire-ios",
"version": {
"version_data": [
{
"version_value": "\u003c 3.95"
}
]
}
}
]
},
"vendor_name": "wireapp"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Wire-ios is a messaging application using the wire protocol on apple\u0027s ios platform. In versions prior to 3.95 malformed resource identifiers may render the iOS Wire Client completely unusable by causing it to repeatedly crash on launch. These malformed resource identifiers can be generated and sent between Wire users. The root cause lies in [wireapp/wire-ios-transport](https://github.com/wireapp/wire-ios-transport), where code responsible for removing sensible tokens before logging may fail and lead to a crash (Swift exception) of the application. This causes undesirable behavior, however the (greater) Wire system is still functional. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-755: Improper Handling of Exceptional Conditions"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-rq36-8qfp-79mc",
"refsource": "CONFIRM",
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-rq36-8qfp-79mc"
},
{
"name": "https://github.com/wireapp/wire-ios-transport/security/advisories/GHSA-3xvh-x964-572h",
"refsource": "MISC",
"url": "https://github.com/wireapp/wire-ios-transport/security/advisories/GHSA-3xvh-x964-572h"
},
{
"name": "https://github.com/wireapp/wire-ios-transport/commit/02e90aa45edaf7eb2d8b97fa2377cd8104274170",
"refsource": "MISC",
"url": "https://github.com/wireapp/wire-ios-transport/commit/02e90aa45edaf7eb2d8b97fa2377cd8104274170"
}
]
},
"source": {
"advisory": "GHSA-rq36-8qfp-79mc",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-23625",
"datePublished": "2022-03-11T18:00:15.000Z",
"dateReserved": "2022-01-19T00:00:00.000Z",
"dateUpdated": "2025-04-23T18:54:35.233Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-41094 (GCVE-0-2021-41094)
Vulnerability from cvelistv5 – Published: 2021-10-04 18:20 – Updated: 2024-08-04 02:59
VLAI?
Title
Mandatory encryption at rest can be bypassed (UI) in Wire app
Summary
Wire is an open source secure messenger. Users of Wire by Bund may bypass the mandatory encryption at rest feature by simply disabling their device passcode. Upon launching, the app will attempt to enable encryption at rest by generating encryption keys via the Secure Enclave, however it will fail silently if no device passcode is set. The user has no indication that encryption at rest is not active since the feature is hidden to them. This issue has been resolved in version 3.70
Severity ?
4.2 (Medium)
CWE
- CWE-668 - Exposure of Resource to Wrong Sphere
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T02:59:31.399Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-h4m7-pr8h-j7rf"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-ios/commit/5ba3eb180efc3fc795d095f9c84ae7f109b84746"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "wire-ios",
"vendor": "wireapp",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.68, \u003c 3.70"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Wire is an open source secure messenger. Users of Wire by Bund may bypass the mandatory encryption at rest feature by simply disabling their device passcode. Upon launching, the app will attempt to enable encryption at rest by generating encryption keys via the Secure Enclave, however it will fail silently if no device passcode is set. The user has no indication that encryption at rest is not active since the feature is hidden to them. This issue has been resolved in version 3.70"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-668",
"description": "CWE-668: Exposure of Resource to Wrong Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-04T18:20:13",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-h4m7-pr8h-j7rf"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wireapp/wire-ios/commit/5ba3eb180efc3fc795d095f9c84ae7f109b84746"
}
],
"source": {
"advisory": "GHSA-h4m7-pr8h-j7rf",
"discovery": "UNKNOWN"
},
"title": "Mandatory encryption at rest can be bypassed (UI) in Wire app",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-41094",
"STATE": "PUBLIC",
"TITLE": "Mandatory encryption at rest can be bypassed (UI) in Wire app"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "wire-ios",
"version": {
"version_data": [
{
"version_value": "\u003e= 3.68, \u003c 3.70"
}
]
}
}
]
},
"vendor_name": "wireapp"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Wire is an open source secure messenger. Users of Wire by Bund may bypass the mandatory encryption at rest feature by simply disabling their device passcode. Upon launching, the app will attempt to enable encryption at rest by generating encryption keys via the Secure Enclave, however it will fail silently if no device passcode is set. The user has no indication that encryption at rest is not active since the feature is hidden to them. This issue has been resolved in version 3.70"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-668: Exposure of Resource to Wrong Sphere"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-h4m7-pr8h-j7rf",
"refsource": "CONFIRM",
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-h4m7-pr8h-j7rf"
},
{
"name": "https://github.com/wireapp/wire-ios/commit/5ba3eb180efc3fc795d095f9c84ae7f109b84746",
"refsource": "MISC",
"url": "https://github.com/wireapp/wire-ios/commit/5ba3eb180efc3fc795d095f9c84ae7f109b84746"
}
]
},
"source": {
"advisory": "GHSA-h4m7-pr8h-j7rf",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-41094",
"datePublished": "2021-10-04T18:20:13",
"dateReserved": "2021-09-15T00:00:00",
"dateUpdated": "2024-08-04T02:59:31.399Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-41093 (GCVE-0-2021-41093)
Vulnerability from cvelistv5 – Published: 2021-10-04 18:15 – Updated: 2024-08-04 02:59
VLAI?
Title
Account takeover when having only access to a user's short lived token
Summary
Wire is an open source secure messenger. In affected versions if the an attacker gets an old but valid access token they can take over an account by changing the email. This issue has been resolved in version 3.86 which uses a new endpoint which additionally requires an authentication cookie. See wire-ios-sync-engine and wire-ios-transport references. This is the root advisory that pulls the changes together.
Severity ?
7.4 (High)
CWE
- CWE-285 - Improper Authorization
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T02:59:31.525Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-6f4c-phfj-m255"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-ios-sync-engine/security/advisories/GHSA-w727-5f74-49xj"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-ios-transport/security/advisories/GHSA-p354-6r3m-g4xr"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-server/security/advisories/GHSA-9rm2-w6pq-333m"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-ios/commit/b0e7bb3b13dd8212032cb46e32edf701694687c7"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "wire-ios",
"vendor": "wireapp",
"versions": [
{
"status": "affected",
"version": "\u003c 3.86"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Wire is an open source secure messenger. In affected versions if the an attacker gets an old but valid access token they can take over an account by changing the email. This issue has been resolved in version 3.86 which uses a new endpoint which additionally requires an authentication cookie. See wire-ios-sync-engine and wire-ios-transport references. This is the root advisory that pulls the changes together."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-04T18:15:11",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-6f4c-phfj-m255"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wireapp/wire-ios-sync-engine/security/advisories/GHSA-w727-5f74-49xj"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wireapp/wire-ios-transport/security/advisories/GHSA-p354-6r3m-g4xr"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wireapp/wire-server/security/advisories/GHSA-9rm2-w6pq-333m"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wireapp/wire-ios/commit/b0e7bb3b13dd8212032cb46e32edf701694687c7"
}
],
"source": {
"advisory": "GHSA-6f4c-phfj-m255",
"discovery": "UNKNOWN"
},
"title": "Account takeover when having only access to a user\u0027s short lived token",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-41093",
"STATE": "PUBLIC",
"TITLE": "Account takeover when having only access to a user\u0027s short lived token"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "wire-ios",
"version": {
"version_data": [
{
"version_value": "\u003c 3.86"
}
]
}
}
]
},
"vendor_name": "wireapp"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Wire is an open source secure messenger. In affected versions if the an attacker gets an old but valid access token they can take over an account by changing the email. This issue has been resolved in version 3.86 which uses a new endpoint which additionally requires an authentication cookie. See wire-ios-sync-engine and wire-ios-transport references. This is the root advisory that pulls the changes together."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-285: Improper Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-6f4c-phfj-m255",
"refsource": "CONFIRM",
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-6f4c-phfj-m255"
},
{
"name": "https://github.com/wireapp/wire-ios-sync-engine/security/advisories/GHSA-w727-5f74-49xj",
"refsource": "MISC",
"url": "https://github.com/wireapp/wire-ios-sync-engine/security/advisories/GHSA-w727-5f74-49xj"
},
{
"name": "https://github.com/wireapp/wire-ios-transport/security/advisories/GHSA-p354-6r3m-g4xr",
"refsource": "MISC",
"url": "https://github.com/wireapp/wire-ios-transport/security/advisories/GHSA-p354-6r3m-g4xr"
},
{
"name": "https://github.com/wireapp/wire-server/security/advisories/GHSA-9rm2-w6pq-333m",
"refsource": "MISC",
"url": "https://github.com/wireapp/wire-server/security/advisories/GHSA-9rm2-w6pq-333m"
},
{
"name": "https://github.com/wireapp/wire-ios/commit/b0e7bb3b13dd8212032cb46e32edf701694687c7",
"refsource": "MISC",
"url": "https://github.com/wireapp/wire-ios/commit/b0e7bb3b13dd8212032cb46e32edf701694687c7"
}
]
},
"source": {
"advisory": "GHSA-6f4c-phfj-m255",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-41093",
"datePublished": "2021-10-04T18:15:11",
"dateReserved": "2021-09-15T00:00:00",
"dateUpdated": "2024-08-04T02:59:31.525Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-32755 (GCVE-0-2021-32755)
Vulnerability from cvelistv5 – Published: 2021-07-13 20:55 – Updated: 2024-08-03 23:33
VLAI?
Title
Certificate pinning is not enforced on the web socket connection
Summary
Wire is a collaboration platform. wire-ios-transport handles authentication of requests, network failures, and retries for the iOS implementation of Wire. In the 3.82 version of the iOS application, a new web socket implementation was introduced for users running iOS 13 or higher. This new websocket implementation is not configured to enforce certificate pinning when available. Certificate pinning for the new websocket is enforced in version 3.84 or above.
Severity ?
5.4 (Medium)
CWE
- CWE-295 - Improper Certificate Validation
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wireapp | wire-ios-transport |
Affected:
= 3.8.2
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:33:55.754Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-ios-transport/security/advisories/GHSA-v8mx-h3vj-w39v"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "wire-ios-transport",
"vendor": "wireapp",
"versions": [
{
"status": "affected",
"version": "= 3.8.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Wire is a collaboration platform. wire-ios-transport handles authentication of requests, network failures, and retries for the iOS implementation of Wire. In the 3.82 version of the iOS application, a new web socket implementation was introduced for users running iOS 13 or higher. This new websocket implementation is not configured to enforce certificate pinning when available. Certificate pinning for the new websocket is enforced in version 3.84 or above."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295: Improper Certificate Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-13T20:55:09",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/wireapp/wire-ios-transport/security/advisories/GHSA-v8mx-h3vj-w39v"
}
],
"source": {
"advisory": "GHSA-v8mx-h3vj-w39v",
"discovery": "UNKNOWN"
},
"title": "Certificate pinning is not enforced on the web socket connection",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-32755",
"STATE": "PUBLIC",
"TITLE": "Certificate pinning is not enforced on the web socket connection"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "wire-ios-transport",
"version": {
"version_data": [
{
"version_value": "= 3.8.2"
}
]
}
}
]
},
"vendor_name": "wireapp"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Wire is a collaboration platform. wire-ios-transport handles authentication of requests, network failures, and retries for the iOS implementation of Wire. In the 3.82 version of the iOS application, a new web socket implementation was introduced for users running iOS 13 or higher. This new websocket implementation is not configured to enforce certificate pinning when available. Certificate pinning for the new websocket is enforced in version 3.84 or above."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-295: Improper Certificate Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/wireapp/wire-ios-transport/security/advisories/GHSA-v8mx-h3vj-w39v",
"refsource": "CONFIRM",
"url": "https://github.com/wireapp/wire-ios-transport/security/advisories/GHSA-v8mx-h3vj-w39v"
}
]
},
"source": {
"advisory": "GHSA-v8mx-h3vj-w39v",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-32755",
"datePublished": "2021-07-13T20:55:09",
"dateReserved": "2021-05-12T00:00:00",
"dateUpdated": "2024-08-03T23:33:55.754Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-32666 (GCVE-0-2021-32666)
Vulnerability from cvelistv5 – Published: 2021-06-03 21:35 – Updated: 2024-08-03 23:25
VLAI?
Title
Asset DoS vulnerability
Summary
wire-ios is the iOS version of Wire, an open-source secure messaging app. In wire-ios versions 3.8.0 and prior, a vulnerability exists that can cause a denial of service between users. If a user has an invalid assetID for their profile picture and it contains the " character, it will cause the iOS client to crash. The vulnerability is patched in wire-ios version 3.8.1.
Severity ?
6.5 (Medium)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:25:31.090Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-2x9x-vh27-h4rv"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-ios-data-model/commit/35af3f632085f51a2ce7f608fdaeffd1a69ad89f"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "wire-ios",
"vendor": "wireapp",
"versions": [
{
"status": "affected",
"version": "\u003c= 3.8.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "wire-ios is the iOS version of Wire, an open-source secure messaging app. In wire-ios versions 3.8.0 and prior, a vulnerability exists that can cause a denial of service between users. If a user has an invalid assetID for their profile picture and it contains the \" character, it will cause the iOS client to crash. The vulnerability is patched in wire-ios version 3.8.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-03T21:35:10",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-2x9x-vh27-h4rv"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wireapp/wire-ios-data-model/commit/35af3f632085f51a2ce7f608fdaeffd1a69ad89f"
}
],
"source": {
"advisory": "GHSA-2x9x-vh27-h4rv",
"discovery": "UNKNOWN"
},
"title": "Asset DoS vulnerability",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-32666",
"STATE": "PUBLIC",
"TITLE": "Asset DoS vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "wire-ios",
"version": {
"version_data": [
{
"version_value": "\u003c= 3.8.0"
}
]
}
}
]
},
"vendor_name": "wireapp"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "wire-ios is the iOS version of Wire, an open-source secure messaging app. In wire-ios versions 3.8.0 and prior, a vulnerability exists that can cause a denial of service between users. If a user has an invalid assetID for their profile picture and it contains the \" character, it will cause the iOS client to crash. The vulnerability is patched in wire-ios version 3.8.1."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20: Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-2x9x-vh27-h4rv",
"refsource": "CONFIRM",
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-2x9x-vh27-h4rv"
},
{
"name": "https://github.com/wireapp/wire-ios-data-model/commit/35af3f632085f51a2ce7f608fdaeffd1a69ad89f",
"refsource": "MISC",
"url": "https://github.com/wireapp/wire-ios-data-model/commit/35af3f632085f51a2ce7f608fdaeffd1a69ad89f"
}
]
},
"source": {
"advisory": "GHSA-2x9x-vh27-h4rv",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-32666",
"datePublished": "2021-06-03T21:35:10",
"dateReserved": "2021-05-12T00:00:00",
"dateUpdated": "2024-08-03T23:25:31.090Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-32665 (GCVE-0-2021-32665)
Vulnerability from cvelistv5 – Published: 2021-06-03 21:00 – Updated: 2024-08-03 23:25
VLAI?
Title
Verified groups not reliable
Summary
wire-ios is the iOS version of Wire, an open-source secure messaging app. wire-ios versions 3.8.0 and earlier have a bug in which a conversation could be incorrectly set to "unverified. This occurs when: - Self user is added to a new conversation - Self user is added to an existing conversation - All the participants in the conversation were previously marked as verified. The vulnerability is patched in wire-ios version 3.8.1. As a workaround, one can unverify & verify a device in the conversation.
Severity ?
8.8 (High)
CWE
- CWE-345 - Insufficient Verification of Data Authenticity
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:25:31.122Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-mc65-7w99-c6qv"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-ios-data-model/commit/bf9db85886b12a20c8374f55b7c4a610e8ae9220"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "wire-ios",
"vendor": "wireapp",
"versions": [
{
"status": "affected",
"version": "\u003c= 3.8.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "wire-ios is the iOS version of Wire, an open-source secure messaging app. wire-ios versions 3.8.0 and earlier have a bug in which a conversation could be incorrectly set to \"unverified. This occurs when: - Self user is added to a new conversation - Self user is added to an existing conversation - All the participants in the conversation were previously marked as verified. The vulnerability is patched in wire-ios version 3.8.1. As a workaround, one can unverify \u0026 verify a device in the conversation."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-345",
"description": "CWE-345: Insufficient Verification of Data Authenticity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-03T21:00:12",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-mc65-7w99-c6qv"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wireapp/wire-ios-data-model/commit/bf9db85886b12a20c8374f55b7c4a610e8ae9220"
}
],
"source": {
"advisory": "GHSA-mc65-7w99-c6qv",
"discovery": "UNKNOWN"
},
"title": "Verified groups not reliable",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-32665",
"STATE": "PUBLIC",
"TITLE": "Verified groups not reliable"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "wire-ios",
"version": {
"version_data": [
{
"version_value": "\u003c= 3.8.0"
}
]
}
}
]
},
"vendor_name": "wireapp"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "wire-ios is the iOS version of Wire, an open-source secure messaging app. wire-ios versions 3.8.0 and earlier have a bug in which a conversation could be incorrectly set to \"unverified. This occurs when: - Self user is added to a new conversation - Self user is added to an existing conversation - All the participants in the conversation were previously marked as verified. The vulnerability is patched in wire-ios version 3.8.1. As a workaround, one can unverify \u0026 verify a device in the conversation."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-345: Insufficient Verification of Data Authenticity"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-mc65-7w99-c6qv",
"refsource": "CONFIRM",
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-mc65-7w99-c6qv"
},
{
"name": "https://github.com/wireapp/wire-ios-data-model/commit/bf9db85886b12a20c8374f55b7c4a610e8ae9220",
"refsource": "MISC",
"url": "https://github.com/wireapp/wire-ios-data-model/commit/bf9db85886b12a20c8374f55b7c4a610e8ae9220"
}
]
},
"source": {
"advisory": "GHSA-mc65-7w99-c6qv",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-32665",
"datePublished": "2021-06-03T21:00:12",
"dateReserved": "2021-05-12T00:00:00",
"dateUpdated": "2024-08-03T23:25:31.122Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-22737 (GCVE-0-2023-22737)
Vulnerability from nvd – Published: 2023-01-27 23:14 – Updated: 2025-03-10 21:18
VLAI?
Title
wire-server vulnerable to unauthorized removal of Bots from Conversations
Summary
wire-server provides back end services for Wire, a team communication and collaboration platform. Prior to version 2022-12-09, every member of a Conversation can remove a Bot from a Conversation due to a missing permissions check. Only Conversation admins should be able to remove Bots. Regular Conversations are not allowed to do so. The issue is fixed in wire-server 2022-12-09 and is already deployed on all Wire managed services. On-premise instances of wire-server need to be updated to 2022-12-09/Chart 4.29.0, so that their backends are no longer affected. There are no known workarounds.
Severity ?
6.5 (Medium)
CWE
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wireapp | wire-server |
Affected:
< 2022-12-09
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:20:30.226Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/wireapp/wire-server/security/advisories/GHSA-xmjc-c6w3-pcp4",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-server/security/advisories/GHSA-xmjc-c6w3-pcp4"
},
{
"name": "https://github.com/wireapp/wire-server/pull/2870",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-server/pull/2870"
},
{
"name": "https://github.com/wireapp/wire-server/commit/494a6881f5895d4ed9e5d011455242be0d5e6223",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-server/commit/494a6881f5895d4ed9e5d011455242be0d5e6223"
},
{
"name": "https://github.com/wireapp/wire-server/releases/tag/v2022-12-09",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-server/releases/tag/v2022-12-09"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-22737",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-10T20:59:01.422903Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-10T21:18:14.172Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "wire-server",
"vendor": "wireapp",
"versions": [
{
"status": "affected",
"version": "\u003c 2022-12-09"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "wire-server provides back end services for Wire, a team communication and collaboration platform. Prior to version 2022-12-09, every member of a Conversation can remove a Bot from a Conversation due to a missing permissions check. Only Conversation admins should be able to remove Bots. Regular Conversations are not allowed to do so. The issue is fixed in wire-server 2022-12-09 and is already deployed on all Wire managed services. On-premise instances of wire-server need to be updated to 2022-12-09/Chart 4.29.0, so that their backends are no longer affected. There are no known workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-280",
"description": "CWE-280: Improper Handling of Insufficient Permissions or Privileges ",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-27T23:14:33.913Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/wireapp/wire-server/security/advisories/GHSA-xmjc-c6w3-pcp4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/wireapp/wire-server/security/advisories/GHSA-xmjc-c6w3-pcp4"
},
{
"name": "https://github.com/wireapp/wire-server/pull/2870",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wireapp/wire-server/pull/2870"
},
{
"name": "https://github.com/wireapp/wire-server/commit/494a6881f5895d4ed9e5d011455242be0d5e6223",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wireapp/wire-server/commit/494a6881f5895d4ed9e5d011455242be0d5e6223"
},
{
"name": "https://github.com/wireapp/wire-server/releases/tag/v2022-12-09",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wireapp/wire-server/releases/tag/v2022-12-09"
}
],
"source": {
"advisory": "GHSA-xmjc-c6w3-pcp4",
"discovery": "UNKNOWN"
},
"title": "wire-server vulnerable to unauthorized removal of Bots from Conversations"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-22737",
"datePublished": "2023-01-27T23:14:33.913Z",
"dateReserved": "2023-01-06T14:21:05.892Z",
"dateUpdated": "2025-03-10T21:18:14.172Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-43673 (GCVE-0-2022-43673)
Vulnerability from nvd – Published: 2022-11-18 00:00 – Updated: 2025-04-30 13:54
VLAI?
Summary
Wire through 3.22.3993 on Windows advertises deletion of sent messages; nonetheless, all messages can be retrieved (for a limited period of time) from the AppData\Roaming\Wire\IndexedDB\https_app.wire.com_0.indexeddb.leveldb database.
Severity ?
4.7 (Medium)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:40:05.649Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://wire.com/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.secuvera.de/advisories/secuvera-SA-2022-01.txt"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-43673",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-30T13:53:17.843426Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532 Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-30T13:54:07.784Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Wire through 3.22.3993 on Windows advertises deletion of sent messages; nonetheless, all messages can be retrieved (for a limited period of time) from the AppData\\Roaming\\Wire\\IndexedDB\\https_app.wire.com_0.indexeddb.leveldb database."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-18T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://wire.com/"
},
{
"url": "https://www.secuvera.de/advisories/secuvera-SA-2022-01.txt"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-43673",
"datePublished": "2022-11-18T00:00:00.000Z",
"dateReserved": "2022-10-24T00:00:00.000Z",
"dateUpdated": "2025-04-30T13:54:07.784Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-31009 (GCVE-0-2022-31009)
Vulnerability from nvd – Published: 2022-06-23 06:40 – Updated: 2025-04-23 18:09
VLAI?
Title
DoS vulnerability: Invalid Accent Colors
Summary
wire-ios is an iOS client for the Wire secure messaging application. Invalid accent colors of Wire communication partners may render the iOS Wire Client partially unusable by causing it to crash multiple times on launch. These invalid accent colors can be used by and sent between Wire users. The root cause was an unnecessary assert statement when converting an integer value into the corresponding enum value, causing an exception instead of a fallback to a default value. This issue is fixed in [wire-ios](https://github.com/wireapp/wire-ios/commit/caa0e27dbe51f9edfda8c7a9f017d93b8cfddefb) and in Wire for iOS 3.100. There is no workaround available, but users may use other Wire clients (such as the [web app](https://app.wire.com)) to continue using Wire, or upgrade their client.
Severity ?
5.7 (Medium)
CWE
- CWE-617 - Reachable Assertion
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:03:40.199Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-83m6-p7x5-925j"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-ios/commit/caa0e27dbe51f9edfda8c7a9f017d93b8cfddefb"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-31009",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T14:04:59.569231Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T18:09:07.862Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "wire-ios",
"vendor": "wireapp",
"versions": [
{
"status": "affected",
"version": "\u003c 3.100"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "wire-ios is an iOS client for the Wire secure messaging application. Invalid accent colors of Wire communication partners may render the iOS Wire Client partially unusable by causing it to crash multiple times on launch. These invalid accent colors can be used by and sent between Wire users. The root cause was an unnecessary assert statement when converting an integer value into the corresponding enum value, causing an exception instead of a fallback to a default value. This issue is fixed in [wire-ios](https://github.com/wireapp/wire-ios/commit/caa0e27dbe51f9edfda8c7a9f017d93b8cfddefb) and in Wire for iOS 3.100. There is no workaround available, but users may use other Wire clients (such as the [web app](https://app.wire.com)) to continue using Wire, or upgrade their client."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-617",
"description": "CWE-617: Reachable Assertion",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-23T06:40:10.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-83m6-p7x5-925j"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wireapp/wire-ios/commit/caa0e27dbe51f9edfda8c7a9f017d93b8cfddefb"
}
],
"source": {
"advisory": "GHSA-83m6-p7x5-925j",
"discovery": "UNKNOWN"
},
"title": "DoS vulnerability: Invalid Accent Colors",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-31009",
"STATE": "PUBLIC",
"TITLE": "DoS vulnerability: Invalid Accent Colors"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "wire-ios",
"version": {
"version_data": [
{
"version_value": "\u003c 3.100"
}
]
}
}
]
},
"vendor_name": "wireapp"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "wire-ios is an iOS client for the Wire secure messaging application. Invalid accent colors of Wire communication partners may render the iOS Wire Client partially unusable by causing it to crash multiple times on launch. These invalid accent colors can be used by and sent between Wire users. The root cause was an unnecessary assert statement when converting an integer value into the corresponding enum value, causing an exception instead of a fallback to a default value. This issue is fixed in [wire-ios](https://github.com/wireapp/wire-ios/commit/caa0e27dbe51f9edfda8c7a9f017d93b8cfddefb) and in Wire for iOS 3.100. There is no workaround available, but users may use other Wire clients (such as the [web app](https://app.wire.com)) to continue using Wire, or upgrade their client."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-617: Reachable Assertion"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-83m6-p7x5-925j",
"refsource": "CONFIRM",
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-83m6-p7x5-925j"
},
{
"name": "https://github.com/wireapp/wire-ios/commit/caa0e27dbe51f9edfda8c7a9f017d93b8cfddefb",
"refsource": "MISC",
"url": "https://github.com/wireapp/wire-ios/commit/caa0e27dbe51f9edfda8c7a9f017d93b8cfddefb"
}
]
},
"source": {
"advisory": "GHSA-83m6-p7x5-925j",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-31009",
"datePublished": "2022-06-23T06:40:10.000Z",
"dateReserved": "2022-05-18T00:00:00.000Z",
"dateUpdated": "2025-04-23T18:09:07.862Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-23625 (GCVE-0-2022-23625)
Vulnerability from nvd – Published: 2022-03-11 18:00 – Updated: 2025-04-23 18:54
VLAI?
Title
DoS vulnerability: Malformed Resource Identifiers
Summary
Wire-ios is a messaging application using the wire protocol on apple's ios platform. In versions prior to 3.95 malformed resource identifiers may render the iOS Wire Client completely unusable by causing it to repeatedly crash on launch. These malformed resource identifiers can be generated and sent between Wire users. The root cause lies in [wireapp/wire-ios-transport](https://github.com/wireapp/wire-ios-transport), where code responsible for removing sensible tokens before logging may fail and lead to a crash (Swift exception) of the application. This causes undesirable behavior, however the (greater) Wire system is still functional. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue.
Severity ?
6.5 (Medium)
CWE
- CWE-755 - Improper Handling of Exceptional Conditions
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:51:45.474Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-rq36-8qfp-79mc"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-ios-transport/security/advisories/GHSA-3xvh-x964-572h"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-ios-transport/commit/02e90aa45edaf7eb2d8b97fa2377cd8104274170"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-23625",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T14:09:11.767474Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T18:54:35.233Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "wire-ios",
"vendor": "wireapp",
"versions": [
{
"status": "affected",
"version": "\u003c 3.95"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Wire-ios is a messaging application using the wire protocol on apple\u0027s ios platform. In versions prior to 3.95 malformed resource identifiers may render the iOS Wire Client completely unusable by causing it to repeatedly crash on launch. These malformed resource identifiers can be generated and sent between Wire users. The root cause lies in [wireapp/wire-ios-transport](https://github.com/wireapp/wire-ios-transport), where code responsible for removing sensible tokens before logging may fail and lead to a crash (Swift exception) of the application. This causes undesirable behavior, however the (greater) Wire system is still functional. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-755",
"description": "CWE-755: Improper Handling of Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-11T18:00:15.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-rq36-8qfp-79mc"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wireapp/wire-ios-transport/security/advisories/GHSA-3xvh-x964-572h"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wireapp/wire-ios-transport/commit/02e90aa45edaf7eb2d8b97fa2377cd8104274170"
}
],
"source": {
"advisory": "GHSA-rq36-8qfp-79mc",
"discovery": "UNKNOWN"
},
"title": "DoS vulnerability: Malformed Resource Identifiers",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-23625",
"STATE": "PUBLIC",
"TITLE": "DoS vulnerability: Malformed Resource Identifiers"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "wire-ios",
"version": {
"version_data": [
{
"version_value": "\u003c 3.95"
}
]
}
}
]
},
"vendor_name": "wireapp"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Wire-ios is a messaging application using the wire protocol on apple\u0027s ios platform. In versions prior to 3.95 malformed resource identifiers may render the iOS Wire Client completely unusable by causing it to repeatedly crash on launch. These malformed resource identifiers can be generated and sent between Wire users. The root cause lies in [wireapp/wire-ios-transport](https://github.com/wireapp/wire-ios-transport), where code responsible for removing sensible tokens before logging may fail and lead to a crash (Swift exception) of the application. This causes undesirable behavior, however the (greater) Wire system is still functional. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-755: Improper Handling of Exceptional Conditions"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-rq36-8qfp-79mc",
"refsource": "CONFIRM",
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-rq36-8qfp-79mc"
},
{
"name": "https://github.com/wireapp/wire-ios-transport/security/advisories/GHSA-3xvh-x964-572h",
"refsource": "MISC",
"url": "https://github.com/wireapp/wire-ios-transport/security/advisories/GHSA-3xvh-x964-572h"
},
{
"name": "https://github.com/wireapp/wire-ios-transport/commit/02e90aa45edaf7eb2d8b97fa2377cd8104274170",
"refsource": "MISC",
"url": "https://github.com/wireapp/wire-ios-transport/commit/02e90aa45edaf7eb2d8b97fa2377cd8104274170"
}
]
},
"source": {
"advisory": "GHSA-rq36-8qfp-79mc",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-23625",
"datePublished": "2022-03-11T18:00:15.000Z",
"dateReserved": "2022-01-19T00:00:00.000Z",
"dateUpdated": "2025-04-23T18:54:35.233Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-41094 (GCVE-0-2021-41094)
Vulnerability from nvd – Published: 2021-10-04 18:20 – Updated: 2024-08-04 02:59
VLAI?
Title
Mandatory encryption at rest can be bypassed (UI) in Wire app
Summary
Wire is an open source secure messenger. Users of Wire by Bund may bypass the mandatory encryption at rest feature by simply disabling their device passcode. Upon launching, the app will attempt to enable encryption at rest by generating encryption keys via the Secure Enclave, however it will fail silently if no device passcode is set. The user has no indication that encryption at rest is not active since the feature is hidden to them. This issue has been resolved in version 3.70
Severity ?
4.2 (Medium)
CWE
- CWE-668 - Exposure of Resource to Wrong Sphere
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T02:59:31.399Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-h4m7-pr8h-j7rf"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-ios/commit/5ba3eb180efc3fc795d095f9c84ae7f109b84746"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "wire-ios",
"vendor": "wireapp",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.68, \u003c 3.70"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Wire is an open source secure messenger. Users of Wire by Bund may bypass the mandatory encryption at rest feature by simply disabling their device passcode. Upon launching, the app will attempt to enable encryption at rest by generating encryption keys via the Secure Enclave, however it will fail silently if no device passcode is set. The user has no indication that encryption at rest is not active since the feature is hidden to them. This issue has been resolved in version 3.70"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-668",
"description": "CWE-668: Exposure of Resource to Wrong Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-04T18:20:13",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-h4m7-pr8h-j7rf"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wireapp/wire-ios/commit/5ba3eb180efc3fc795d095f9c84ae7f109b84746"
}
],
"source": {
"advisory": "GHSA-h4m7-pr8h-j7rf",
"discovery": "UNKNOWN"
},
"title": "Mandatory encryption at rest can be bypassed (UI) in Wire app",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-41094",
"STATE": "PUBLIC",
"TITLE": "Mandatory encryption at rest can be bypassed (UI) in Wire app"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "wire-ios",
"version": {
"version_data": [
{
"version_value": "\u003e= 3.68, \u003c 3.70"
}
]
}
}
]
},
"vendor_name": "wireapp"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Wire is an open source secure messenger. Users of Wire by Bund may bypass the mandatory encryption at rest feature by simply disabling their device passcode. Upon launching, the app will attempt to enable encryption at rest by generating encryption keys via the Secure Enclave, however it will fail silently if no device passcode is set. The user has no indication that encryption at rest is not active since the feature is hidden to them. This issue has been resolved in version 3.70"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-668: Exposure of Resource to Wrong Sphere"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-h4m7-pr8h-j7rf",
"refsource": "CONFIRM",
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-h4m7-pr8h-j7rf"
},
{
"name": "https://github.com/wireapp/wire-ios/commit/5ba3eb180efc3fc795d095f9c84ae7f109b84746",
"refsource": "MISC",
"url": "https://github.com/wireapp/wire-ios/commit/5ba3eb180efc3fc795d095f9c84ae7f109b84746"
}
]
},
"source": {
"advisory": "GHSA-h4m7-pr8h-j7rf",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-41094",
"datePublished": "2021-10-04T18:20:13",
"dateReserved": "2021-09-15T00:00:00",
"dateUpdated": "2024-08-04T02:59:31.399Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-41093 (GCVE-0-2021-41093)
Vulnerability from nvd – Published: 2021-10-04 18:15 – Updated: 2024-08-04 02:59
VLAI?
Title
Account takeover when having only access to a user's short lived token
Summary
Wire is an open source secure messenger. In affected versions if the an attacker gets an old but valid access token they can take over an account by changing the email. This issue has been resolved in version 3.86 which uses a new endpoint which additionally requires an authentication cookie. See wire-ios-sync-engine and wire-ios-transport references. This is the root advisory that pulls the changes together.
Severity ?
7.4 (High)
CWE
- CWE-285 - Improper Authorization
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T02:59:31.525Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-6f4c-phfj-m255"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-ios-sync-engine/security/advisories/GHSA-w727-5f74-49xj"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-ios-transport/security/advisories/GHSA-p354-6r3m-g4xr"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-server/security/advisories/GHSA-9rm2-w6pq-333m"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-ios/commit/b0e7bb3b13dd8212032cb46e32edf701694687c7"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "wire-ios",
"vendor": "wireapp",
"versions": [
{
"status": "affected",
"version": "\u003c 3.86"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Wire is an open source secure messenger. In affected versions if the an attacker gets an old but valid access token they can take over an account by changing the email. This issue has been resolved in version 3.86 which uses a new endpoint which additionally requires an authentication cookie. See wire-ios-sync-engine and wire-ios-transport references. This is the root advisory that pulls the changes together."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-04T18:15:11",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-6f4c-phfj-m255"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wireapp/wire-ios-sync-engine/security/advisories/GHSA-w727-5f74-49xj"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wireapp/wire-ios-transport/security/advisories/GHSA-p354-6r3m-g4xr"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wireapp/wire-server/security/advisories/GHSA-9rm2-w6pq-333m"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wireapp/wire-ios/commit/b0e7bb3b13dd8212032cb46e32edf701694687c7"
}
],
"source": {
"advisory": "GHSA-6f4c-phfj-m255",
"discovery": "UNKNOWN"
},
"title": "Account takeover when having only access to a user\u0027s short lived token",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-41093",
"STATE": "PUBLIC",
"TITLE": "Account takeover when having only access to a user\u0027s short lived token"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "wire-ios",
"version": {
"version_data": [
{
"version_value": "\u003c 3.86"
}
]
}
}
]
},
"vendor_name": "wireapp"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Wire is an open source secure messenger. In affected versions if the an attacker gets an old but valid access token they can take over an account by changing the email. This issue has been resolved in version 3.86 which uses a new endpoint which additionally requires an authentication cookie. See wire-ios-sync-engine and wire-ios-transport references. This is the root advisory that pulls the changes together."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-285: Improper Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-6f4c-phfj-m255",
"refsource": "CONFIRM",
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-6f4c-phfj-m255"
},
{
"name": "https://github.com/wireapp/wire-ios-sync-engine/security/advisories/GHSA-w727-5f74-49xj",
"refsource": "MISC",
"url": "https://github.com/wireapp/wire-ios-sync-engine/security/advisories/GHSA-w727-5f74-49xj"
},
{
"name": "https://github.com/wireapp/wire-ios-transport/security/advisories/GHSA-p354-6r3m-g4xr",
"refsource": "MISC",
"url": "https://github.com/wireapp/wire-ios-transport/security/advisories/GHSA-p354-6r3m-g4xr"
},
{
"name": "https://github.com/wireapp/wire-server/security/advisories/GHSA-9rm2-w6pq-333m",
"refsource": "MISC",
"url": "https://github.com/wireapp/wire-server/security/advisories/GHSA-9rm2-w6pq-333m"
},
{
"name": "https://github.com/wireapp/wire-ios/commit/b0e7bb3b13dd8212032cb46e32edf701694687c7",
"refsource": "MISC",
"url": "https://github.com/wireapp/wire-ios/commit/b0e7bb3b13dd8212032cb46e32edf701694687c7"
}
]
},
"source": {
"advisory": "GHSA-6f4c-phfj-m255",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-41093",
"datePublished": "2021-10-04T18:15:11",
"dateReserved": "2021-09-15T00:00:00",
"dateUpdated": "2024-08-04T02:59:31.525Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-32755 (GCVE-0-2021-32755)
Vulnerability from nvd – Published: 2021-07-13 20:55 – Updated: 2024-08-03 23:33
VLAI?
Title
Certificate pinning is not enforced on the web socket connection
Summary
Wire is a collaboration platform. wire-ios-transport handles authentication of requests, network failures, and retries for the iOS implementation of Wire. In the 3.82 version of the iOS application, a new web socket implementation was introduced for users running iOS 13 or higher. This new websocket implementation is not configured to enforce certificate pinning when available. Certificate pinning for the new websocket is enforced in version 3.84 or above.
Severity ?
5.4 (Medium)
CWE
- CWE-295 - Improper Certificate Validation
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wireapp | wire-ios-transport |
Affected:
= 3.8.2
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:33:55.754Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-ios-transport/security/advisories/GHSA-v8mx-h3vj-w39v"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "wire-ios-transport",
"vendor": "wireapp",
"versions": [
{
"status": "affected",
"version": "= 3.8.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Wire is a collaboration platform. wire-ios-transport handles authentication of requests, network failures, and retries for the iOS implementation of Wire. In the 3.82 version of the iOS application, a new web socket implementation was introduced for users running iOS 13 or higher. This new websocket implementation is not configured to enforce certificate pinning when available. Certificate pinning for the new websocket is enforced in version 3.84 or above."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295: Improper Certificate Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-13T20:55:09",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/wireapp/wire-ios-transport/security/advisories/GHSA-v8mx-h3vj-w39v"
}
],
"source": {
"advisory": "GHSA-v8mx-h3vj-w39v",
"discovery": "UNKNOWN"
},
"title": "Certificate pinning is not enforced on the web socket connection",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-32755",
"STATE": "PUBLIC",
"TITLE": "Certificate pinning is not enforced on the web socket connection"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "wire-ios-transport",
"version": {
"version_data": [
{
"version_value": "= 3.8.2"
}
]
}
}
]
},
"vendor_name": "wireapp"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Wire is a collaboration platform. wire-ios-transport handles authentication of requests, network failures, and retries for the iOS implementation of Wire. In the 3.82 version of the iOS application, a new web socket implementation was introduced for users running iOS 13 or higher. This new websocket implementation is not configured to enforce certificate pinning when available. Certificate pinning for the new websocket is enforced in version 3.84 or above."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-295: Improper Certificate Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/wireapp/wire-ios-transport/security/advisories/GHSA-v8mx-h3vj-w39v",
"refsource": "CONFIRM",
"url": "https://github.com/wireapp/wire-ios-transport/security/advisories/GHSA-v8mx-h3vj-w39v"
}
]
},
"source": {
"advisory": "GHSA-v8mx-h3vj-w39v",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-32755",
"datePublished": "2021-07-13T20:55:09",
"dateReserved": "2021-05-12T00:00:00",
"dateUpdated": "2024-08-03T23:33:55.754Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-32666 (GCVE-0-2021-32666)
Vulnerability from nvd – Published: 2021-06-03 21:35 – Updated: 2024-08-03 23:25
VLAI?
Title
Asset DoS vulnerability
Summary
wire-ios is the iOS version of Wire, an open-source secure messaging app. In wire-ios versions 3.8.0 and prior, a vulnerability exists that can cause a denial of service between users. If a user has an invalid assetID for their profile picture and it contains the " character, it will cause the iOS client to crash. The vulnerability is patched in wire-ios version 3.8.1.
Severity ?
6.5 (Medium)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:25:31.090Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-2x9x-vh27-h4rv"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-ios-data-model/commit/35af3f632085f51a2ce7f608fdaeffd1a69ad89f"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "wire-ios",
"vendor": "wireapp",
"versions": [
{
"status": "affected",
"version": "\u003c= 3.8.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "wire-ios is the iOS version of Wire, an open-source secure messaging app. In wire-ios versions 3.8.0 and prior, a vulnerability exists that can cause a denial of service between users. If a user has an invalid assetID for their profile picture and it contains the \" character, it will cause the iOS client to crash. The vulnerability is patched in wire-ios version 3.8.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-03T21:35:10",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-2x9x-vh27-h4rv"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wireapp/wire-ios-data-model/commit/35af3f632085f51a2ce7f608fdaeffd1a69ad89f"
}
],
"source": {
"advisory": "GHSA-2x9x-vh27-h4rv",
"discovery": "UNKNOWN"
},
"title": "Asset DoS vulnerability",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-32666",
"STATE": "PUBLIC",
"TITLE": "Asset DoS vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "wire-ios",
"version": {
"version_data": [
{
"version_value": "\u003c= 3.8.0"
}
]
}
}
]
},
"vendor_name": "wireapp"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "wire-ios is the iOS version of Wire, an open-source secure messaging app. In wire-ios versions 3.8.0 and prior, a vulnerability exists that can cause a denial of service between users. If a user has an invalid assetID for their profile picture and it contains the \" character, it will cause the iOS client to crash. The vulnerability is patched in wire-ios version 3.8.1."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20: Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-2x9x-vh27-h4rv",
"refsource": "CONFIRM",
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-2x9x-vh27-h4rv"
},
{
"name": "https://github.com/wireapp/wire-ios-data-model/commit/35af3f632085f51a2ce7f608fdaeffd1a69ad89f",
"refsource": "MISC",
"url": "https://github.com/wireapp/wire-ios-data-model/commit/35af3f632085f51a2ce7f608fdaeffd1a69ad89f"
}
]
},
"source": {
"advisory": "GHSA-2x9x-vh27-h4rv",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-32666",
"datePublished": "2021-06-03T21:35:10",
"dateReserved": "2021-05-12T00:00:00",
"dateUpdated": "2024-08-03T23:25:31.090Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-32665 (GCVE-0-2021-32665)
Vulnerability from nvd – Published: 2021-06-03 21:00 – Updated: 2024-08-03 23:25
VLAI?
Title
Verified groups not reliable
Summary
wire-ios is the iOS version of Wire, an open-source secure messaging app. wire-ios versions 3.8.0 and earlier have a bug in which a conversation could be incorrectly set to "unverified. This occurs when: - Self user is added to a new conversation - Self user is added to an existing conversation - All the participants in the conversation were previously marked as verified. The vulnerability is patched in wire-ios version 3.8.1. As a workaround, one can unverify & verify a device in the conversation.
Severity ?
8.8 (High)
CWE
- CWE-345 - Insufficient Verification of Data Authenticity
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:25:31.122Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-mc65-7w99-c6qv"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-ios-data-model/commit/bf9db85886b12a20c8374f55b7c4a610e8ae9220"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "wire-ios",
"vendor": "wireapp",
"versions": [
{
"status": "affected",
"version": "\u003c= 3.8.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "wire-ios is the iOS version of Wire, an open-source secure messaging app. wire-ios versions 3.8.0 and earlier have a bug in which a conversation could be incorrectly set to \"unverified. This occurs when: - Self user is added to a new conversation - Self user is added to an existing conversation - All the participants in the conversation were previously marked as verified. The vulnerability is patched in wire-ios version 3.8.1. As a workaround, one can unverify \u0026 verify a device in the conversation."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-345",
"description": "CWE-345: Insufficient Verification of Data Authenticity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-03T21:00:12",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-mc65-7w99-c6qv"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wireapp/wire-ios-data-model/commit/bf9db85886b12a20c8374f55b7c4a610e8ae9220"
}
],
"source": {
"advisory": "GHSA-mc65-7w99-c6qv",
"discovery": "UNKNOWN"
},
"title": "Verified groups not reliable",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-32665",
"STATE": "PUBLIC",
"TITLE": "Verified groups not reliable"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "wire-ios",
"version": {
"version_data": [
{
"version_value": "\u003c= 3.8.0"
}
]
}
}
]
},
"vendor_name": "wireapp"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "wire-ios is the iOS version of Wire, an open-source secure messaging app. wire-ios versions 3.8.0 and earlier have a bug in which a conversation could be incorrectly set to \"unverified. This occurs when: - Self user is added to a new conversation - Self user is added to an existing conversation - All the participants in the conversation were previously marked as verified. The vulnerability is patched in wire-ios version 3.8.1. As a workaround, one can unverify \u0026 verify a device in the conversation."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-345: Insufficient Verification of Data Authenticity"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-mc65-7w99-c6qv",
"refsource": "CONFIRM",
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-mc65-7w99-c6qv"
},
{
"name": "https://github.com/wireapp/wire-ios-data-model/commit/bf9db85886b12a20c8374f55b7c4a610e8ae9220",
"refsource": "MISC",
"url": "https://github.com/wireapp/wire-ios-data-model/commit/bf9db85886b12a20c8374f55b7c4a610e8ae9220"
}
]
},
"source": {
"advisory": "GHSA-mc65-7w99-c6qv",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-32665",
"datePublished": "2021-06-03T21:00:12",
"dateReserved": "2021-05-12T00:00:00",
"dateUpdated": "2024-08-03T23:25:31.122Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}