cnvd - cnvd-2022-11210

CNVD-2022-11210

Vulnerability from cnvd - Published: 2022-02-17

Title

Wire webapp存在未明漏洞

Description

Wire是个人开发者的一款聊天软件。该软件支持 Web、WindowsiOS、Android、OS X 平台，有群组功能，可以语音通话，发送照片以及其独创性的打招呼方式 PING。 Wire webapp存在安全漏洞，目前没有详细漏洞细节提供。

Severity

低

Patch Name

Wire webapp存在未明漏洞的补丁

Patch Description

Wire是个人开发者的一款聊天软件。该软件支持 Web、WindowsiOS、Android、OS X 平台，有群组功能，可以语音通话，发送照片以及其独创性的打招呼方式 PING。 Wire webapp存在安全漏洞，目前没有详细漏洞细节提供。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://github.com/wireapp/wire-webapp/security/advisories/GHSA-2w3m-ppfg-hg62

Reference

https://github.com/wireapp/wire-webapp/commit/42c9a1edddbdd5d4d8f9a196a98f6fc19bb21741

Impacted products

Name
Wire webapp <2022-01-27-production.0

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2022-23605"
    }
  },
  "description": "Wire\u662f\u4e2a\u4eba\u5f00\u53d1\u8005\u7684\u4e00\u6b3e\u804a\u5929\u8f6f\u4ef6\u3002\u8be5\u8f6f\u4ef6\u652f\u6301 Web\u3001WindowsiOS\u3001Android\u3001OS X \u5e73\u53f0\uff0c\u6709\u7fa4\u7ec4\u529f\u80fd\uff0c\u53ef\u4ee5\u8bed\u97f3\u901a\u8bdd\uff0c\u53d1\u9001\u7167\u7247\u4ee5\u53ca\u5176\u72ec\u521b\u6027\u7684\u6253\u62db\u547c\u65b9\u5f0f PING\u3002\n\nWire webapp\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://github.com/wireapp/wire-webapp/security/advisories/GHSA-2w3m-ppfg-hg62",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-11210",
  "openTime": "2022-02-17",
  "patchDescription": "Wire\u662f\u4e2a\u4eba\u5f00\u53d1\u8005\u7684\u4e00\u6b3e\u804a\u5929\u8f6f\u4ef6\u3002\u8be5\u8f6f\u4ef6\u652f\u6301 Web\u3001WindowsiOS\u3001Android\u3001OS X \u5e73\u53f0\uff0c\u6709\u7fa4\u7ec4\u529f\u80fd\uff0c\u53ef\u4ee5\u8bed\u97f3\u901a\u8bdd\uff0c\u53d1\u9001\u7167\u7247\u4ee5\u53ca\u5176\u72ec\u521b\u6027\u7684\u6253\u62db\u547c\u65b9\u5f0f PING\u3002\r\n\r\nWire webapp\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Wire webapp\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Wire webapp \u003c2022-01-27-production.0"
  },
  "referenceLink": "https://github.com/wireapp/wire-webapp/commit/42c9a1edddbdd5d4d8f9a196a98f6fc19bb21741",
  "serverity": "\u4f4e",
  "submitTime": "2022-02-09",
  "title": "Wire webapp\u5b58\u5728\u672a\u660e\u6f0f\u6d1e"
}

CVE-2022-23605 (GCVE-0-2022-23605)

Vulnerability from cvelistv5 – Published: 2022-02-04 22:32 – Updated: 2025-04-23 19:08

Summary

Wire webapp is a web client for the wire messaging protocol. In versions prior to 2022-01-27-production.0 expired ephemeral messages were not reliably removed from local chat history of Wire Webapp. In versions before 2022-01-27-production.0 ephemeral messages and assets might still be accessible through the local search functionality. Any attempt to view one of these message in the chat view will then trigger the deletion. This issue only affects locally stored messages. On premise instances of wire-webapp need to be updated to 2022-01-27-production.0, so that their users are no longer affected. There are no known workarounds for this issue.

Severity ?

4.4 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-212 - Improper Removal of Sensitive Information Before Storage or Transfer

Assigner

GitHub_M

References

URL

Tags

	https://github.com/wireapp/wire-webapp/security/a…	x_refsource_CONFIRM
	https://github.com/wireapp/wire-webapp/commit/42c…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	wireapp	wire-webapp	Affected: < 2022-01-27-production.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T03:43:46.973Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/wireapp/wire-webapp/security/advisories/GHSA-2w3m-ppfg-hg62"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/wireapp/wire-webapp/commit/42c9a1edddbdd5d4d8f9a196a98f6fc19bb21741"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-23605",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-23T14:11:23.954891Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-23T19:08:21.606Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "wire-webapp",
          "vendor": "wireapp",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2022-01-27-production.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Wire webapp is a web client for the wire messaging protocol. In versions prior to 2022-01-27-production.0 expired ephemeral messages were not reliably removed from local chat history of Wire Webapp. In versions before 2022-01-27-production.0 ephemeral messages and assets might still be accessible through the local search functionality. Any attempt to view one of these message in the chat view will then trigger the deletion. This issue only affects locally stored messages. On premise instances of wire-webapp need to be updated to 2022-01-27-production.0, so that their users are no longer affected. There are no known workarounds for this issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 4.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-212",
              "description": "CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-02-04T22:32:05.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/wireapp/wire-webapp/security/advisories/GHSA-2w3m-ppfg-hg62"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/wireapp/wire-webapp/commit/42c9a1edddbdd5d4d8f9a196a98f6fc19bb21741"
        }
      ],
      "source": {
        "advisory": "GHSA-2w3m-ppfg-hg62",
        "discovery": "UNKNOWN"
      },
      "title": "Expired Ephemeral Messages not reliably removed in wire-webapp",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-23605",
          "STATE": "PUBLIC",
          "TITLE": "Expired Ephemeral Messages not reliably removed in wire-webapp"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "wire-webapp",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 2022-01-27-production.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "wireapp"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Wire webapp is a web client for the wire messaging protocol. In versions prior to 2022-01-27-production.0 expired ephemeral messages were not reliably removed from local chat history of Wire Webapp. In versions before 2022-01-27-production.0 ephemeral messages and assets might still be accessible through the local search functionality. Any attempt to view one of these message in the chat view will then trigger the deletion. This issue only affects locally stored messages. On premise instances of wire-webapp need to be updated to 2022-01-27-production.0, so that their users are no longer affected. There are no known workarounds for this issue."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 4.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/wireapp/wire-webapp/security/advisories/GHSA-2w3m-ppfg-hg62",
              "refsource": "CONFIRM",
              "url": "https://github.com/wireapp/wire-webapp/security/advisories/GHSA-2w3m-ppfg-hg62"
            },
            {
              "name": "https://github.com/wireapp/wire-webapp/commit/42c9a1edddbdd5d4d8f9a196a98f6fc19bb21741",
              "refsource": "MISC",
              "url": "https://github.com/wireapp/wire-webapp/commit/42c9a1edddbdd5d4d8f9a196a98f6fc19bb21741"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-2w3m-ppfg-hg62",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-23605",
    "datePublished": "2022-02-04T22:32:05.000Z",
    "dateReserved": "2022-01-19T00:00:00.000Z",
    "dateUpdated": "2025-04-23T19:08:21.606Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2022-11210

CVE-2022-23605 (GCVE-0-2022-23605)

Tags

Sightings

Nomenclature