Vulnerabilites related to wire - wire
CVE-2021-32755 (GCVE-0-2021-32755)
Vulnerability from cvelistv5
Published
2021-07-13 20:55
Modified
2024-08-03 23:33
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-295 - Improper Certificate Validation
Summary
Wire is a collaboration platform. wire-ios-transport handles authentication of requests, network failures, and retries for the iOS implementation of Wire. In the 3.82 version of the iOS application, a new web socket implementation was introduced for users running iOS 13 or higher. This new websocket implementation is not configured to enforce certificate pinning when available. Certificate pinning for the new websocket is enforced in version 3.84 or above.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wireapp | wire-ios-transport |
Version: = 3.8.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:33:55.754Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-ios-transport/security/advisories/GHSA-v8mx-h3vj-w39v"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "wire-ios-transport",
"vendor": "wireapp",
"versions": [
{
"status": "affected",
"version": "= 3.8.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Wire is a collaboration platform. wire-ios-transport handles authentication of requests, network failures, and retries for the iOS implementation of Wire. In the 3.82 version of the iOS application, a new web socket implementation was introduced for users running iOS 13 or higher. This new websocket implementation is not configured to enforce certificate pinning when available. Certificate pinning for the new websocket is enforced in version 3.84 or above."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295: Improper Certificate Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-13T20:55:09",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/wireapp/wire-ios-transport/security/advisories/GHSA-v8mx-h3vj-w39v"
}
],
"source": {
"advisory": "GHSA-v8mx-h3vj-w39v",
"discovery": "UNKNOWN"
},
"title": "Certificate pinning is not enforced on the web socket connection",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-32755",
"STATE": "PUBLIC",
"TITLE": "Certificate pinning is not enforced on the web socket connection"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "wire-ios-transport",
"version": {
"version_data": [
{
"version_value": "= 3.8.2"
}
]
}
}
]
},
"vendor_name": "wireapp"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Wire is a collaboration platform. wire-ios-transport handles authentication of requests, network failures, and retries for the iOS implementation of Wire. In the 3.82 version of the iOS application, a new web socket implementation was introduced for users running iOS 13 or higher. This new websocket implementation is not configured to enforce certificate pinning when available. Certificate pinning for the new websocket is enforced in version 3.84 or above."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-295: Improper Certificate Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/wireapp/wire-ios-transport/security/advisories/GHSA-v8mx-h3vj-w39v",
"refsource": "CONFIRM",
"url": "https://github.com/wireapp/wire-ios-transport/security/advisories/GHSA-v8mx-h3vj-w39v"
}
]
},
"source": {
"advisory": "GHSA-v8mx-h3vj-w39v",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-32755",
"datePublished": "2021-07-13T20:55:09",
"dateReserved": "2021-05-12T00:00:00",
"dateUpdated": "2024-08-03T23:33:55.754Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-41093 (GCVE-0-2021-41093)
Vulnerability from cvelistv5
Published
2021-10-04 18:15
Modified
2024-08-04 02:59
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-285 - Improper Authorization
Summary
Wire is an open source secure messenger. In affected versions if the an attacker gets an old but valid access token they can take over an account by changing the email. This issue has been resolved in version 3.86 which uses a new endpoint which additionally requires an authentication cookie. See wire-ios-sync-engine and wire-ios-transport references. This is the root advisory that pulls the changes together.
References
| ► | URL | Tags |
|---|---|---|
|
|
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T02:59:31.525Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-6f4c-phfj-m255"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-ios-sync-engine/security/advisories/GHSA-w727-5f74-49xj"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-ios-transport/security/advisories/GHSA-p354-6r3m-g4xr"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-server/security/advisories/GHSA-9rm2-w6pq-333m"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-ios/commit/b0e7bb3b13dd8212032cb46e32edf701694687c7"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "wire-ios",
"vendor": "wireapp",
"versions": [
{
"status": "affected",
"version": "\u003c 3.86"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Wire is an open source secure messenger. In affected versions if the an attacker gets an old but valid access token they can take over an account by changing the email. This issue has been resolved in version 3.86 which uses a new endpoint which additionally requires an authentication cookie. See wire-ios-sync-engine and wire-ios-transport references. This is the root advisory that pulls the changes together."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-04T18:15:11",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-6f4c-phfj-m255"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wireapp/wire-ios-sync-engine/security/advisories/GHSA-w727-5f74-49xj"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wireapp/wire-ios-transport/security/advisories/GHSA-p354-6r3m-g4xr"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wireapp/wire-server/security/advisories/GHSA-9rm2-w6pq-333m"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wireapp/wire-ios/commit/b0e7bb3b13dd8212032cb46e32edf701694687c7"
}
],
"source": {
"advisory": "GHSA-6f4c-phfj-m255",
"discovery": "UNKNOWN"
},
"title": "Account takeover when having only access to a user\u0027s short lived token",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-41093",
"STATE": "PUBLIC",
"TITLE": "Account takeover when having only access to a user\u0027s short lived token"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "wire-ios",
"version": {
"version_data": [
{
"version_value": "\u003c 3.86"
}
]
}
}
]
},
"vendor_name": "wireapp"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Wire is an open source secure messenger. In affected versions if the an attacker gets an old but valid access token they can take over an account by changing the email. This issue has been resolved in version 3.86 which uses a new endpoint which additionally requires an authentication cookie. See wire-ios-sync-engine and wire-ios-transport references. This is the root advisory that pulls the changes together."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-285: Improper Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-6f4c-phfj-m255",
"refsource": "CONFIRM",
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-6f4c-phfj-m255"
},
{
"name": "https://github.com/wireapp/wire-ios-sync-engine/security/advisories/GHSA-w727-5f74-49xj",
"refsource": "MISC",
"url": "https://github.com/wireapp/wire-ios-sync-engine/security/advisories/GHSA-w727-5f74-49xj"
},
{
"name": "https://github.com/wireapp/wire-ios-transport/security/advisories/GHSA-p354-6r3m-g4xr",
"refsource": "MISC",
"url": "https://github.com/wireapp/wire-ios-transport/security/advisories/GHSA-p354-6r3m-g4xr"
},
{
"name": "https://github.com/wireapp/wire-server/security/advisories/GHSA-9rm2-w6pq-333m",
"refsource": "MISC",
"url": "https://github.com/wireapp/wire-server/security/advisories/GHSA-9rm2-w6pq-333m"
},
{
"name": "https://github.com/wireapp/wire-ios/commit/b0e7bb3b13dd8212032cb46e32edf701694687c7",
"refsource": "MISC",
"url": "https://github.com/wireapp/wire-ios/commit/b0e7bb3b13dd8212032cb46e32edf701694687c7"
}
]
},
"source": {
"advisory": "GHSA-6f4c-phfj-m255",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-41093",
"datePublished": "2021-10-04T18:15:11",
"dateReserved": "2021-09-15T00:00:00",
"dateUpdated": "2024-08-04T02:59:31.525Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-27853 (GCVE-0-2020-27853)
Vulnerability from cvelistv5
Published
2020-10-27 17:53
Modified
2024-08-04 16:25
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Wire before 2020-10-16 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a format string. This affects Wire AVS (Audio, Video, and Signaling) 5.3 through 6.x before 6.4, the Wire Secure Messenger application before 3.49.918 for Android, and the Wire Secure Messenger application before 3.61 for iOS. This occurs via the value parameter to sdp_media_set_lattr in peerflow/sdp.c.
References
| ► | URL | Tags |
|---|---|---|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:25:43.686Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-audio-video-signaling/issues/23#issuecomment-710075689"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://github.security.telekom.com/2020/11/wire-secure-messenger-format-string-vulnerability.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Wire before 2020-10-16 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a format string. This affects Wire AVS (Audio, Video, and Signaling) 5.3 through 6.x before 6.4, the Wire Secure Messenger application before 3.49.918 for Android, and the Wire Secure Messenger application before 3.61 for iOS. This occurs via the value parameter to sdp_media_set_lattr in peerflow/sdp.c."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-11-09T17:48:16",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wireapp/wire-audio-video-signaling/issues/23#issuecomment-710075689"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://github.security.telekom.com/2020/11/wire-secure-messenger-format-string-vulnerability.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-27853",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Wire before 2020-10-16 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a format string. This affects Wire AVS (Audio, Video, and Signaling) 5.3 through 6.x before 6.4, the Wire Secure Messenger application before 3.49.918 for Android, and the Wire Secure Messenger application before 3.61 for iOS. This occurs via the value parameter to sdp_media_set_lattr in peerflow/sdp.c."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/wireapp/wire-audio-video-signaling/issues/23#issuecomment-710075689",
"refsource": "MISC",
"url": "https://github.com/wireapp/wire-audio-video-signaling/issues/23#issuecomment-710075689"
},
{
"name": "http://github.security.telekom.com/2020/11/wire-secure-messenger-format-string-vulnerability.html",
"refsource": "MISC",
"url": "http://github.security.telekom.com/2020/11/wire-secure-messenger-format-string-vulnerability.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-27853",
"datePublished": "2020-10-27T17:53:51",
"dateReserved": "2020-10-27T00:00:00",
"dateUpdated": "2024-08-04T16:25:43.686Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-41094 (GCVE-0-2021-41094)
Vulnerability from cvelistv5
Published
2021-10-04 18:20
Modified
2024-08-04 02:59
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-668 - Exposure of Resource to Wrong Sphere
Summary
Wire is an open source secure messenger. Users of Wire by Bund may bypass the mandatory encryption at rest feature by simply disabling their device passcode. Upon launching, the app will attempt to enable encryption at rest by generating encryption keys via the Secure Enclave, however it will fail silently if no device passcode is set. The user has no indication that encryption at rest is not active since the feature is hidden to them. This issue has been resolved in version 3.70
References
| ► | URL | Tags |
|---|---|---|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T02:59:31.399Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-h4m7-pr8h-j7rf"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-ios/commit/5ba3eb180efc3fc795d095f9c84ae7f109b84746"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "wire-ios",
"vendor": "wireapp",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.68, \u003c 3.70"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Wire is an open source secure messenger. Users of Wire by Bund may bypass the mandatory encryption at rest feature by simply disabling their device passcode. Upon launching, the app will attempt to enable encryption at rest by generating encryption keys via the Secure Enclave, however it will fail silently if no device passcode is set. The user has no indication that encryption at rest is not active since the feature is hidden to them. This issue has been resolved in version 3.70"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-668",
"description": "CWE-668: Exposure of Resource to Wrong Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-04T18:20:13",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-h4m7-pr8h-j7rf"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wireapp/wire-ios/commit/5ba3eb180efc3fc795d095f9c84ae7f109b84746"
}
],
"source": {
"advisory": "GHSA-h4m7-pr8h-j7rf",
"discovery": "UNKNOWN"
},
"title": "Mandatory encryption at rest can be bypassed (UI) in Wire app",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-41094",
"STATE": "PUBLIC",
"TITLE": "Mandatory encryption at rest can be bypassed (UI) in Wire app"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "wire-ios",
"version": {
"version_data": [
{
"version_value": "\u003e= 3.68, \u003c 3.70"
}
]
}
}
]
},
"vendor_name": "wireapp"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Wire is an open source secure messenger. Users of Wire by Bund may bypass the mandatory encryption at rest feature by simply disabling their device passcode. Upon launching, the app will attempt to enable encryption at rest by generating encryption keys via the Secure Enclave, however it will fail silently if no device passcode is set. The user has no indication that encryption at rest is not active since the feature is hidden to them. This issue has been resolved in version 3.70"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-668: Exposure of Resource to Wrong Sphere"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-h4m7-pr8h-j7rf",
"refsource": "CONFIRM",
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-h4m7-pr8h-j7rf"
},
{
"name": "https://github.com/wireapp/wire-ios/commit/5ba3eb180efc3fc795d095f9c84ae7f109b84746",
"refsource": "MISC",
"url": "https://github.com/wireapp/wire-ios/commit/5ba3eb180efc3fc795d095f9c84ae7f109b84746"
}
]
},
"source": {
"advisory": "GHSA-h4m7-pr8h-j7rf",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-41094",
"datePublished": "2021-10-04T18:20:13",
"dateReserved": "2021-09-15T00:00:00",
"dateUpdated": "2024-08-04T02:59:31.399Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-8909 (GCVE-0-2018-8909)
Vulnerability from cvelistv5
Published
2018-03-22 06:00
Modified
2024-09-16 23:05
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The Wire application before 2018-03-07 for Android allows attackers to write to pathnames outside of the downloads directory via a ../ in a filename of a received file, related to AssetService.scala.
References
| ► | URL | Tags |
|---|---|---|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T07:10:46.626Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.x41-dsec.de/reports/X41-Kudelski-Wire-Security-Review-Android.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Wire application before 2018-03-07 for Android allows attackers to write to pathnames outside of the downloads directory via a ../ in a filename of a received file, related to AssetService.scala."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-03-22T06:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.x41-dsec.de/reports/X41-Kudelski-Wire-Security-Review-Android.pdf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-8909",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Wire application before 2018-03-07 for Android allows attackers to write to pathnames outside of the downloads directory via a ../ in a filename of a received file, related to AssetService.scala."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.x41-dsec.de/reports/X41-Kudelski-Wire-Security-Review-Android.pdf",
"refsource": "MISC",
"url": "https://www.x41-dsec.de/reports/X41-Kudelski-Wire-Security-Review-Android.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-8909",
"datePublished": "2018-03-22T06:00:00Z",
"dateReserved": "2018-03-22T00:00:00Z",
"dateUpdated": "2024-09-16T23:05:25.482Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-43673 (GCVE-0-2022-43673)
Vulnerability from cvelistv5
Published
2022-11-18 00:00
Modified
2025-04-30 13:54
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Wire through 3.22.3993 on Windows advertises deletion of sent messages; nonetheless, all messages can be retrieved (for a limited period of time) from the AppData\Roaming\Wire\IndexedDB\https_app.wire.com_0.indexeddb.leveldb database.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:40:05.649Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://wire.com/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.secuvera.de/advisories/secuvera-SA-2022-01.txt"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-43673",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-30T13:53:17.843426Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532 Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-30T13:54:07.784Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Wire through 3.22.3993 on Windows advertises deletion of sent messages; nonetheless, all messages can be retrieved (for a limited period of time) from the AppData\\Roaming\\Wire\\IndexedDB\\https_app.wire.com_0.indexeddb.leveldb database."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-18T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://wire.com/"
},
{
"url": "https://www.secuvera.de/advisories/secuvera-SA-2022-01.txt"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-43673",
"datePublished": "2022-11-18T00:00:00.000Z",
"dateReserved": "2022-10-24T00:00:00.000Z",
"dateUpdated": "2025-04-30T13:54:07.784Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-32666 (GCVE-0-2021-32666)
Vulnerability from cvelistv5
Published
2021-06-03 21:35
Modified
2024-08-03 23:25
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-20 - Improper Input Validation
Summary
wire-ios is the iOS version of Wire, an open-source secure messaging app. In wire-ios versions 3.8.0 and prior, a vulnerability exists that can cause a denial of service between users. If a user has an invalid assetID for their profile picture and it contains the " character, it will cause the iOS client to crash. The vulnerability is patched in wire-ios version 3.8.1.
References
| ► | URL | Tags |
|---|---|---|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:25:31.090Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-2x9x-vh27-h4rv"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-ios-data-model/commit/35af3f632085f51a2ce7f608fdaeffd1a69ad89f"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "wire-ios",
"vendor": "wireapp",
"versions": [
{
"status": "affected",
"version": "\u003c= 3.8.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "wire-ios is the iOS version of Wire, an open-source secure messaging app. In wire-ios versions 3.8.0 and prior, a vulnerability exists that can cause a denial of service between users. If a user has an invalid assetID for their profile picture and it contains the \" character, it will cause the iOS client to crash. The vulnerability is patched in wire-ios version 3.8.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-03T21:35:10",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-2x9x-vh27-h4rv"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wireapp/wire-ios-data-model/commit/35af3f632085f51a2ce7f608fdaeffd1a69ad89f"
}
],
"source": {
"advisory": "GHSA-2x9x-vh27-h4rv",
"discovery": "UNKNOWN"
},
"title": "Asset DoS vulnerability",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-32666",
"STATE": "PUBLIC",
"TITLE": "Asset DoS vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "wire-ios",
"version": {
"version_data": [
{
"version_value": "\u003c= 3.8.0"
}
]
}
}
]
},
"vendor_name": "wireapp"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "wire-ios is the iOS version of Wire, an open-source secure messaging app. In wire-ios versions 3.8.0 and prior, a vulnerability exists that can cause a denial of service between users. If a user has an invalid assetID for their profile picture and it contains the \" character, it will cause the iOS client to crash. The vulnerability is patched in wire-ios version 3.8.1."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20: Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-2x9x-vh27-h4rv",
"refsource": "CONFIRM",
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-2x9x-vh27-h4rv"
},
{
"name": "https://github.com/wireapp/wire-ios-data-model/commit/35af3f632085f51a2ce7f608fdaeffd1a69ad89f",
"refsource": "MISC",
"url": "https://github.com/wireapp/wire-ios-data-model/commit/35af3f632085f51a2ce7f608fdaeffd1a69ad89f"
}
]
},
"source": {
"advisory": "GHSA-2x9x-vh27-h4rv",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-32666",
"datePublished": "2021-06-03T21:35:10",
"dateReserved": "2021-05-12T00:00:00",
"dateUpdated": "2024-08-03T23:25:31.090Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-15258 (GCVE-0-2020-15258)
Vulnerability from cvelistv5
Published
2020-10-16 16:50
Modified
2024-08-04 13:15
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-20 - {"":"Improper Input Validation"}
Summary
In Wire before 3.20.x, `shell.openExternal` was used without checking the URL. This vulnerability allows an attacker to execute code on the victims machine by sending messages containing links with arbitrary protocols. The victim has to interact with the link and sees the URL that is opened. The issue was patched by implementing a helper function which checks if the URL's protocol is common. If it is common, the URL will be opened externally. If not, the URL will not be opened and a warning appears for the user informing them that a probably insecure URL was blocked from being executed. The issue is patched in Wire 3.20.x. More technical details about exploitation are available in the linked advisory.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wireapp | wire-desktop |
Version: < 3.20.x |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:15:18.937Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-desktop/security/advisories/GHSA-5gpx-9976-ggpm"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-desktop/commit/b3705fffa75a03f055530f55a754face5ac0623b"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://benjamin-altpeter.de/shell-openexternal-dangers/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "wire-desktop",
"vendor": "wireapp",
"versions": [
{
"status": "affected",
"version": "\u003c 3.20.x"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Wire before 3.20.x, `shell.openExternal` was used without checking the URL. This vulnerability allows an attacker to execute code on the victims machine by sending messages containing links with arbitrary protocols. The victim has to interact with the link and sees the URL that is opened. The issue was patched by implementing a helper function which checks if the URL\u0027s protocol is common. If it is common, the URL will be opened externally. If not, the URL will not be opened and a warning appears for the user informing them that a probably insecure URL was blocked from being executed. The issue is patched in Wire 3.20.x. More technical details about exploitation are available in the linked advisory."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "{\"CWE-20\":\"Improper Input Validation\"}",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-16T16:50:19",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/wireapp/wire-desktop/security/advisories/GHSA-5gpx-9976-ggpm"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wireapp/wire-desktop/commit/b3705fffa75a03f055530f55a754face5ac0623b"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://benjamin-altpeter.de/shell-openexternal-dangers/"
}
],
"source": {
"advisory": "GHSA-5gpx-9976-ggpm",
"discovery": "UNKNOWN"
},
"title": "Insecure use of shell.openExternal in Wire",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-15258",
"STATE": "PUBLIC",
"TITLE": "Insecure use of shell.openExternal in Wire"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "wire-desktop",
"version": {
"version_data": [
{
"version_value": "\u003c 3.20.x"
}
]
}
}
]
},
"vendor_name": "wireapp"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Wire before 3.20.x, `shell.openExternal` was used without checking the URL. This vulnerability allows an attacker to execute code on the victims machine by sending messages containing links with arbitrary protocols. The victim has to interact with the link and sees the URL that is opened. The issue was patched by implementing a helper function which checks if the URL\u0027s protocol is common. If it is common, the URL will be opened externally. If not, the URL will not be opened and a warning appears for the user informing them that a probably insecure URL was blocked from being executed. The issue is patched in Wire 3.20.x. More technical details about exploitation are available in the linked advisory."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "{\"CWE-20\":\"Improper Input Validation\"}"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/wireapp/wire-desktop/security/advisories/GHSA-5gpx-9976-ggpm",
"refsource": "CONFIRM",
"url": "https://github.com/wireapp/wire-desktop/security/advisories/GHSA-5gpx-9976-ggpm"
},
{
"name": "https://github.com/wireapp/wire-desktop/commit/b3705fffa75a03f055530f55a754face5ac0623b",
"refsource": "MISC",
"url": "https://github.com/wireapp/wire-desktop/commit/b3705fffa75a03f055530f55a754face5ac0623b"
},
{
"name": "https://benjamin-altpeter.de/shell-openexternal-dangers/",
"refsource": "MISC",
"url": "https://benjamin-altpeter.de/shell-openexternal-dangers/"
}
]
},
"source": {
"advisory": "GHSA-5gpx-9976-ggpm",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-15258",
"datePublished": "2020-10-16T16:50:19",
"dateReserved": "2020-06-25T00:00:00",
"dateUpdated": "2024-08-04T13:15:18.937Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-22737 (GCVE-0-2023-22737)
Vulnerability from cvelistv5
Published
2023-01-27 23:14
Modified
2025-03-10 21:18
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
wire-server provides back end services for Wire, a team communication and collaboration platform. Prior to version 2022-12-09, every member of a Conversation can remove a Bot from a Conversation due to a missing permissions check. Only Conversation admins should be able to remove Bots. Regular Conversations are not allowed to do so. The issue is fixed in wire-server 2022-12-09 and is already deployed on all Wire managed services. On-premise instances of wire-server need to be updated to 2022-12-09/Chart 4.29.0, so that their backends are no longer affected. There are no known workarounds.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wireapp | wire-server |
Version: < 2022-12-09 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:20:30.226Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/wireapp/wire-server/security/advisories/GHSA-xmjc-c6w3-pcp4",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-server/security/advisories/GHSA-xmjc-c6w3-pcp4"
},
{
"name": "https://github.com/wireapp/wire-server/pull/2870",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-server/pull/2870"
},
{
"name": "https://github.com/wireapp/wire-server/commit/494a6881f5895d4ed9e5d011455242be0d5e6223",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-server/commit/494a6881f5895d4ed9e5d011455242be0d5e6223"
},
{
"name": "https://github.com/wireapp/wire-server/releases/tag/v2022-12-09",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-server/releases/tag/v2022-12-09"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-22737",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-10T20:59:01.422903Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-10T21:18:14.172Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "wire-server",
"vendor": "wireapp",
"versions": [
{
"status": "affected",
"version": "\u003c 2022-12-09"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "wire-server provides back end services for Wire, a team communication and collaboration platform. Prior to version 2022-12-09, every member of a Conversation can remove a Bot from a Conversation due to a missing permissions check. Only Conversation admins should be able to remove Bots. Regular Conversations are not allowed to do so. The issue is fixed in wire-server 2022-12-09 and is already deployed on all Wire managed services. On-premise instances of wire-server need to be updated to 2022-12-09/Chart 4.29.0, so that their backends are no longer affected. There are no known workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-280",
"description": "CWE-280: Improper Handling of Insufficient Permissions or Privileges ",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-27T23:14:33.913Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/wireapp/wire-server/security/advisories/GHSA-xmjc-c6w3-pcp4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/wireapp/wire-server/security/advisories/GHSA-xmjc-c6w3-pcp4"
},
{
"name": "https://github.com/wireapp/wire-server/pull/2870",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wireapp/wire-server/pull/2870"
},
{
"name": "https://github.com/wireapp/wire-server/commit/494a6881f5895d4ed9e5d011455242be0d5e6223",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wireapp/wire-server/commit/494a6881f5895d4ed9e5d011455242be0d5e6223"
},
{
"name": "https://github.com/wireapp/wire-server/releases/tag/v2022-12-09",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wireapp/wire-server/releases/tag/v2022-12-09"
}
],
"source": {
"advisory": "GHSA-xmjc-c6w3-pcp4",
"discovery": "UNKNOWN"
},
"title": "wire-server vulnerable to unauthorized removal of Bots from Conversations"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-22737",
"datePublished": "2023-01-27T23:14:33.913Z",
"dateReserved": "2023-01-06T14:21:05.892Z",
"dateUpdated": "2025-03-10T21:18:14.172Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-21301 (GCVE-0-2021-21301)
Vulnerability from cvelistv5
Published
2021-02-11 18:05
Modified
2024-08-03 18:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-200 - Information Exposure
Summary
Wire is an open-source collaboration platform. In Wire for iOS (iPhone and iPad) before version 3.75 there is a vulnerability where the video capture isn't stopped in a scenario where a user first has their camera enabled and then disables it. It's a privacy issue because video is streamed to the call when the user believes it is disabled. It impacts all users in video calls. This is fixed in version 3.75.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:09:15.618Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-7fg4-x8vj-qvxf"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-ios/pull/4879"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-ios/commit/7e3c30120066c9b10e50cc0d20012d0849c33a40"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "wire-ios",
"vendor": "wireapp",
"versions": [
{
"status": "affected",
"version": "\u003c 3.75"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Wire is an open-source collaboration platform. In Wire for iOS (iPhone and iPad) before version 3.75 there is a vulnerability where the video capture isn\u0027t stopped in a scenario where a user first has their camera enabled and then disables it. It\u0027s a privacy issue because video is streamed to the call when the user believes it is disabled. It impacts all users in video calls. This is fixed in version 3.75."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.6,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Information Exposure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-11T18:05:19",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-7fg4-x8vj-qvxf"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wireapp/wire-ios/pull/4879"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wireapp/wire-ios/commit/7e3c30120066c9b10e50cc0d20012d0849c33a40"
}
],
"source": {
"advisory": "GHSA-7fg4-x8vj-qvxf",
"discovery": "UNKNOWN"
},
"title": "Video feed was captured while user has disabled video",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-21301",
"STATE": "PUBLIC",
"TITLE": "Video feed was captured while user has disabled video"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "wire-ios",
"version": {
"version_data": [
{
"version_value": "\u003c 3.75"
}
]
}
}
]
},
"vendor_name": "wireapp"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Wire is an open-source collaboration platform. In Wire for iOS (iPhone and iPad) before version 3.75 there is a vulnerability where the video capture isn\u0027t stopped in a scenario where a user first has their camera enabled and then disables it. It\u0027s a privacy issue because video is streamed to the call when the user believes it is disabled. It impacts all users in video calls. This is fixed in version 3.75."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.6,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200 Information Exposure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-7fg4-x8vj-qvxf",
"refsource": "CONFIRM",
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-7fg4-x8vj-qvxf"
},
{
"name": "https://github.com/wireapp/wire-ios/pull/4879",
"refsource": "MISC",
"url": "https://github.com/wireapp/wire-ios/pull/4879"
},
{
"name": "https://github.com/wireapp/wire-ios/commit/7e3c30120066c9b10e50cc0d20012d0849c33a40",
"refsource": "MISC",
"url": "https://github.com/wireapp/wire-ios/commit/7e3c30120066c9b10e50cc0d20012d0849c33a40"
}
]
},
"source": {
"advisory": "GHSA-7fg4-x8vj-qvxf",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-21301",
"datePublished": "2021-02-11T18:05:19",
"dateReserved": "2020-12-22T00:00:00",
"dateUpdated": "2024-08-03T18:09:15.618Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-32665 (GCVE-0-2021-32665)
Vulnerability from cvelistv5
Published
2021-06-03 21:00
Modified
2024-08-03 23:25
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-345 - Insufficient Verification of Data Authenticity
Summary
wire-ios is the iOS version of Wire, an open-source secure messaging app. wire-ios versions 3.8.0 and earlier have a bug in which a conversation could be incorrectly set to "unverified. This occurs when: - Self user is added to a new conversation - Self user is added to an existing conversation - All the participants in the conversation were previously marked as verified. The vulnerability is patched in wire-ios version 3.8.1. As a workaround, one can unverify & verify a device in the conversation.
References
| ► | URL | Tags |
|---|---|---|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:25:31.122Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-mc65-7w99-c6qv"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-ios-data-model/commit/bf9db85886b12a20c8374f55b7c4a610e8ae9220"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "wire-ios",
"vendor": "wireapp",
"versions": [
{
"status": "affected",
"version": "\u003c= 3.8.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "wire-ios is the iOS version of Wire, an open-source secure messaging app. wire-ios versions 3.8.0 and earlier have a bug in which a conversation could be incorrectly set to \"unverified. This occurs when: - Self user is added to a new conversation - Self user is added to an existing conversation - All the participants in the conversation were previously marked as verified. The vulnerability is patched in wire-ios version 3.8.1. As a workaround, one can unverify \u0026 verify a device in the conversation."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-345",
"description": "CWE-345: Insufficient Verification of Data Authenticity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-03T21:00:12",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-mc65-7w99-c6qv"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wireapp/wire-ios-data-model/commit/bf9db85886b12a20c8374f55b7c4a610e8ae9220"
}
],
"source": {
"advisory": "GHSA-mc65-7w99-c6qv",
"discovery": "UNKNOWN"
},
"title": "Verified groups not reliable",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-32665",
"STATE": "PUBLIC",
"TITLE": "Verified groups not reliable"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "wire-ios",
"version": {
"version_data": [
{
"version_value": "\u003c= 3.8.0"
}
]
}
}
]
},
"vendor_name": "wireapp"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "wire-ios is the iOS version of Wire, an open-source secure messaging app. wire-ios versions 3.8.0 and earlier have a bug in which a conversation could be incorrectly set to \"unverified. This occurs when: - Self user is added to a new conversation - Self user is added to an existing conversation - All the participants in the conversation were previously marked as verified. The vulnerability is patched in wire-ios version 3.8.1. As a workaround, one can unverify \u0026 verify a device in the conversation."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-345: Insufficient Verification of Data Authenticity"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-mc65-7w99-c6qv",
"refsource": "CONFIRM",
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-mc65-7w99-c6qv"
},
{
"name": "https://github.com/wireapp/wire-ios-data-model/commit/bf9db85886b12a20c8374f55b7c4a610e8ae9220",
"refsource": "MISC",
"url": "https://github.com/wireapp/wire-ios-data-model/commit/bf9db85886b12a20c8374f55b7c4a610e8ae9220"
}
]
},
"source": {
"advisory": "GHSA-mc65-7w99-c6qv",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-32665",
"datePublished": "2021-06-03T21:00:12",
"dateReserved": "2021-05-12T00:00:00",
"dateUpdated": "2024-08-03T23:25:31.122Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-23625 (GCVE-0-2022-23625)
Vulnerability from cvelistv5
Published
2022-03-11 18:00
Modified
2025-04-23 18:54
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-755 - Improper Handling of Exceptional Conditions
Summary
Wire-ios is a messaging application using the wire protocol on apple's ios platform. In versions prior to 3.95 malformed resource identifiers may render the iOS Wire Client completely unusable by causing it to repeatedly crash on launch. These malformed resource identifiers can be generated and sent between Wire users. The root cause lies in [wireapp/wire-ios-transport](https://github.com/wireapp/wire-ios-transport), where code responsible for removing sensible tokens before logging may fail and lead to a crash (Swift exception) of the application. This causes undesirable behavior, however the (greater) Wire system is still functional. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue.
References
| ► | URL | Tags |
|---|---|---|
|
|
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:51:45.474Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-rq36-8qfp-79mc"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-ios-transport/security/advisories/GHSA-3xvh-x964-572h"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-ios-transport/commit/02e90aa45edaf7eb2d8b97fa2377cd8104274170"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-23625",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T14:09:11.767474Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T18:54:35.233Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "wire-ios",
"vendor": "wireapp",
"versions": [
{
"status": "affected",
"version": "\u003c 3.95"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Wire-ios is a messaging application using the wire protocol on apple\u0027s ios platform. In versions prior to 3.95 malformed resource identifiers may render the iOS Wire Client completely unusable by causing it to repeatedly crash on launch. These malformed resource identifiers can be generated and sent between Wire users. The root cause lies in [wireapp/wire-ios-transport](https://github.com/wireapp/wire-ios-transport), where code responsible for removing sensible tokens before logging may fail and lead to a crash (Swift exception) of the application. This causes undesirable behavior, however the (greater) Wire system is still functional. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-755",
"description": "CWE-755: Improper Handling of Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-11T18:00:15.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-rq36-8qfp-79mc"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wireapp/wire-ios-transport/security/advisories/GHSA-3xvh-x964-572h"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wireapp/wire-ios-transport/commit/02e90aa45edaf7eb2d8b97fa2377cd8104274170"
}
],
"source": {
"advisory": "GHSA-rq36-8qfp-79mc",
"discovery": "UNKNOWN"
},
"title": "DoS vulnerability: Malformed Resource Identifiers",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-23625",
"STATE": "PUBLIC",
"TITLE": "DoS vulnerability: Malformed Resource Identifiers"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "wire-ios",
"version": {
"version_data": [
{
"version_value": "\u003c 3.95"
}
]
}
}
]
},
"vendor_name": "wireapp"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Wire-ios is a messaging application using the wire protocol on apple\u0027s ios platform. In versions prior to 3.95 malformed resource identifiers may render the iOS Wire Client completely unusable by causing it to repeatedly crash on launch. These malformed resource identifiers can be generated and sent between Wire users. The root cause lies in [wireapp/wire-ios-transport](https://github.com/wireapp/wire-ios-transport), where code responsible for removing sensible tokens before logging may fail and lead to a crash (Swift exception) of the application. This causes undesirable behavior, however the (greater) Wire system is still functional. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-755: Improper Handling of Exceptional Conditions"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-rq36-8qfp-79mc",
"refsource": "CONFIRM",
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-rq36-8qfp-79mc"
},
{
"name": "https://github.com/wireapp/wire-ios-transport/security/advisories/GHSA-3xvh-x964-572h",
"refsource": "MISC",
"url": "https://github.com/wireapp/wire-ios-transport/security/advisories/GHSA-3xvh-x964-572h"
},
{
"name": "https://github.com/wireapp/wire-ios-transport/commit/02e90aa45edaf7eb2d8b97fa2377cd8104274170",
"refsource": "MISC",
"url": "https://github.com/wireapp/wire-ios-transport/commit/02e90aa45edaf7eb2d8b97fa2377cd8104274170"
}
]
},
"source": {
"advisory": "GHSA-rq36-8qfp-79mc",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-23625",
"datePublished": "2022-03-11T18:00:15.000Z",
"dateReserved": "2022-01-19T00:00:00.000Z",
"dateUpdated": "2025-04-23T18:54:35.233Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-31009 (GCVE-0-2022-31009)
Vulnerability from cvelistv5
Published
2022-06-23 06:40
Modified
2025-04-23 18:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-617 - Reachable Assertion
Summary
wire-ios is an iOS client for the Wire secure messaging application. Invalid accent colors of Wire communication partners may render the iOS Wire Client partially unusable by causing it to crash multiple times on launch. These invalid accent colors can be used by and sent between Wire users. The root cause was an unnecessary assert statement when converting an integer value into the corresponding enum value, causing an exception instead of a fallback to a default value. This issue is fixed in [wire-ios](https://github.com/wireapp/wire-ios/commit/caa0e27dbe51f9edfda8c7a9f017d93b8cfddefb) and in Wire for iOS 3.100. There is no workaround available, but users may use other Wire clients (such as the [web app](https://app.wire.com)) to continue using Wire, or upgrade their client.
References
| ► | URL | Tags |
|---|---|---|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:03:40.199Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-83m6-p7x5-925j"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-ios/commit/caa0e27dbe51f9edfda8c7a9f017d93b8cfddefb"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-31009",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T14:04:59.569231Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T18:09:07.862Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "wire-ios",
"vendor": "wireapp",
"versions": [
{
"status": "affected",
"version": "\u003c 3.100"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "wire-ios is an iOS client for the Wire secure messaging application. Invalid accent colors of Wire communication partners may render the iOS Wire Client partially unusable by causing it to crash multiple times on launch. These invalid accent colors can be used by and sent between Wire users. The root cause was an unnecessary assert statement when converting an integer value into the corresponding enum value, causing an exception instead of a fallback to a default value. This issue is fixed in [wire-ios](https://github.com/wireapp/wire-ios/commit/caa0e27dbe51f9edfda8c7a9f017d93b8cfddefb) and in Wire for iOS 3.100. There is no workaround available, but users may use other Wire clients (such as the [web app](https://app.wire.com)) to continue using Wire, or upgrade their client."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-617",
"description": "CWE-617: Reachable Assertion",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-23T06:40:10.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-83m6-p7x5-925j"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wireapp/wire-ios/commit/caa0e27dbe51f9edfda8c7a9f017d93b8cfddefb"
}
],
"source": {
"advisory": "GHSA-83m6-p7x5-925j",
"discovery": "UNKNOWN"
},
"title": "DoS vulnerability: Invalid Accent Colors",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-31009",
"STATE": "PUBLIC",
"TITLE": "DoS vulnerability: Invalid Accent Colors"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "wire-ios",
"version": {
"version_data": [
{
"version_value": "\u003c 3.100"
}
]
}
}
]
},
"vendor_name": "wireapp"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "wire-ios is an iOS client for the Wire secure messaging application. Invalid accent colors of Wire communication partners may render the iOS Wire Client partially unusable by causing it to crash multiple times on launch. These invalid accent colors can be used by and sent between Wire users. The root cause was an unnecessary assert statement when converting an integer value into the corresponding enum value, causing an exception instead of a fallback to a default value. This issue is fixed in [wire-ios](https://github.com/wireapp/wire-ios/commit/caa0e27dbe51f9edfda8c7a9f017d93b8cfddefb) and in Wire for iOS 3.100. There is no workaround available, but users may use other Wire clients (such as the [web app](https://app.wire.com)) to continue using Wire, or upgrade their client."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-617: Reachable Assertion"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-83m6-p7x5-925j",
"refsource": "CONFIRM",
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-83m6-p7x5-925j"
},
{
"name": "https://github.com/wireapp/wire-ios/commit/caa0e27dbe51f9edfda8c7a9f017d93b8cfddefb",
"refsource": "MISC",
"url": "https://github.com/wireapp/wire-ios/commit/caa0e27dbe51f9edfda8c7a9f017d93b8cfddefb"
}
]
},
"source": {
"advisory": "GHSA-83m6-p7x5-925j",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-31009",
"datePublished": "2022-06-23T06:40:10.000Z",
"dateReserved": "2022-05-18T00:00:00.000Z",
"dateUpdated": "2025-04-23T18:09:07.862Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2021-07-13 21:15
Modified
2024-11-21 06:07
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Summary
Wire is a collaboration platform. wire-ios-transport handles authentication of requests, network failures, and retries for the iOS implementation of Wire. In the 3.82 version of the iOS application, a new web socket implementation was introduced for users running iOS 13 or higher. This new websocket implementation is not configured to enforce certificate pinning when available. Certificate pinning for the new websocket is enforced in version 3.84 or above.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wire:wire:*:*:*:*:*:*:*:*",
"matchCriteriaId": "68C9EF30-515C-4DD1-B2C8-0EF94CA78B9E",
"versionEndExcluding": "3.84",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FF8F6B65-EBEA-4C30-9908-14EF61559016",
"versionStartIncluding": "13.0",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Wire is a collaboration platform. wire-ios-transport handles authentication of requests, network failures, and retries for the iOS implementation of Wire. In the 3.82 version of the iOS application, a new web socket implementation was introduced for users running iOS 13 or higher. This new websocket implementation is not configured to enforce certificate pinning when available. Certificate pinning for the new websocket is enforced in version 3.84 or above."
},
{
"lang": "es",
"value": "Wire es una plataforma de colaboraci\u00f3n. wire-ios-transport maneja la autenticaci\u00f3n de peticiones, los fallos de red y los reintentos para la implementaci\u00f3n de Wire en iOS. En la versi\u00f3n 3.82 de la aplicaci\u00f3n iOS, se introdujo una nueva implementaci\u00f3n de websocket para los usuarios que ejecutan iOS versi\u00f3n 13 o superior. Esta nueva implementaci\u00f3n de websocket no est\u00e1 configurada para aplicar la fijaci\u00f3n de certificados cuando est\u00e1 disponible. La fijaci\u00f3n de certificados para el nuevo websocket se aplica en la versi\u00f3n 3.84 o superior"
}
],
"id": "CVE-2021-32755",
"lastModified": "2024-11-21T06:07:40.630",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-07-13T21:15:07.737",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-ios-transport/security/advisories/GHSA-v8mx-h3vj-w39v"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-ios-transport/security/advisories/GHSA-v8mx-h3vj-w39v"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-295"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-295"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-01-28 00:15
Modified
2024-11-21 07:45
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
wire-server provides back end services for Wire, a team communication and collaboration platform. Prior to version 2022-12-09, every member of a Conversation can remove a Bot from a Conversation due to a missing permissions check. Only Conversation admins should be able to remove Bots. Regular Conversations are not allowed to do so. The issue is fixed in wire-server 2022-12-09 and is already deployed on all Wire managed services. On-premise instances of wire-server need to be updated to 2022-12-09/Chart 4.29.0, so that their backends are no longer affected. There are no known workarounds.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wire:wire:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6B9F25B1-5AD0-4C54-B866-BABA35EA2586",
"versionEndExcluding": "2022-12-09",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "wire-server provides back end services for Wire, a team communication and collaboration platform. Prior to version 2022-12-09, every member of a Conversation can remove a Bot from a Conversation due to a missing permissions check. Only Conversation admins should be able to remove Bots. Regular Conversations are not allowed to do so. The issue is fixed in wire-server 2022-12-09 and is already deployed on all Wire managed services. On-premise instances of wire-server need to be updated to 2022-12-09/Chart 4.29.0, so that their backends are no longer affected. There are no known workarounds."
},
{
"lang": "es",
"value": "wire-server proporciona servicios back-end para Wire, una plataforma de colaboraci\u00f3n y comunicaci\u00f3n en equipo. Antes de la versi\u00f3n 2022-12-09, cada miembro de una conversaci\u00f3n pod\u00eda eliminar un Bot de una conversaci\u00f3n debido a una falta de verificaci\u00f3n de permisos. Solo los administradores de Conversaciones deber\u00edan poder eliminar Bots. No se permiten conversaciones regulares para hacerlo. El problema se solucion\u00f3 en Wire-server 2022-12-09 y ya est\u00e1 implementado en todos los servicios administrados por Wire. Las instancias locales del servidor de conexi\u00f3n deben actualizarse a 2022-12-09/Chart 4.29.0, para que sus backends ya no se vean afectados. No se conocen workarounds."
}
],
"id": "CVE-2023-22737",
"lastModified": "2024-11-21T07:45:19.600",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-01-28T00:15:08.863",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-server/commit/494a6881f5895d4ed9e5d011455242be0d5e6223"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-server/pull/2870"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-server/releases/tag/v2022-12-09"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-server/security/advisories/GHSA-xmjc-c6w3-pcp4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-server/commit/494a6881f5895d4ed9e5d011455242be0d5e6223"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-server/pull/2870"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-server/releases/tag/v2022-12-09"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-server/security/advisories/GHSA-xmjc-c6w3-pcp4"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-280"
},
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-02-11 18:15
Modified
2024-11-21 05:47
Severity ?
2.6 (Low) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
Wire is an open-source collaboration platform. In Wire for iOS (iPhone and iPad) before version 3.75 there is a vulnerability where the video capture isn't stopped in a scenario where a user first has their camera enabled and then disables it. It's a privacy issue because video is streamed to the call when the user believes it is disabled. It impacts all users in video calls. This is fixed in version 3.75.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/wireapp/wire-ios/commit/7e3c30120066c9b10e50cc0d20012d0849c33a40 | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/wireapp/wire-ios/pull/4879 | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/wireapp/wire-ios/security/advisories/GHSA-7fg4-x8vj-qvxf | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/wireapp/wire-ios/commit/7e3c30120066c9b10e50cc0d20012d0849c33a40 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/wireapp/wire-ios/pull/4879 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/wireapp/wire-ios/security/advisories/GHSA-7fg4-x8vj-qvxf | Patch, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wire:wire:*:*:*:*:*:iphone_os:*:*",
"matchCriteriaId": "9D324BAB-15A4-4787-8EC0-8AE5F18C84A8",
"versionEndExcluding": "3.75",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Wire is an open-source collaboration platform. In Wire for iOS (iPhone and iPad) before version 3.75 there is a vulnerability where the video capture isn\u0027t stopped in a scenario where a user first has their camera enabled and then disables it. It\u0027s a privacy issue because video is streamed to the call when the user believes it is disabled. It impacts all users in video calls. This is fixed in version 3.75."
},
{
"lang": "es",
"value": "Wire es una plataforma de colaboraci\u00f3n de c\u00f3digo abierto.\u0026#xa0;En Wire para iOS (iPhone y iPad) anterior a versi\u00f3n 3.75, se presenta una vulnerabilidad en la que la captura de video no se detiene en un escenario en el que un usuario primero tiene su c\u00e1mara habilitada y luego la deshabilita.\u0026#xa0;Es un problema de privacidad porque el video se transmite a la llamada cuando el usuario cree que est\u00e1 deshabilitado.\u0026#xa0;Afecta a todos los usuarios en las videollamadas.\u0026#xa0;Esto se corrige en la versi\u00f3n 3.75"
}
],
"id": "CVE-2021-21301",
"lastModified": "2024-11-21T05:47:58.573",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.6,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-02-11T18:15:16.910",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-ios/commit/7e3c30120066c9b10e50cc0d20012d0849c33a40"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-ios/pull/4879"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-7fg4-x8vj-qvxf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-ios/commit/7e3c30120066c9b10e50cc0d20012d0849c33a40"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-ios/pull/4879"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-7fg4-x8vj-qvxf"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-03-22 06:29
Modified
2024-11-21 04:14
Severity ?
Summary
The Wire application before 2018-03-07 for Android allows attackers to write to pathnames outside of the downloads directory via a ../ in a filename of a received file, related to AssetService.scala.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://www.x41-dsec.de/reports/X41-Kudelski-Wire-Security-Review-Android.pdf | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.x41-dsec.de/reports/X41-Kudelski-Wire-Security-Review-Android.pdf | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wire:wire:*:*:*:*:*:android:*:*",
"matchCriteriaId": "E131A7AB-75F5-47A4-A75B-88C119CF610D",
"versionEndExcluding": "2018-03-07",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Wire application before 2018-03-07 for Android allows attackers to write to pathnames outside of the downloads directory via a ../ in a filename of a received file, related to AssetService.scala."
},
{
"lang": "es",
"value": "La aplicaci\u00f3n Wire, en versiones anteriores a 2018-03-07 para Android, permite que atacantes escriban en nombres de ruta fuera del directorio de descargas mediante un ../ en el nombre de archivo de un archivo recibido. Esto se relaciona con AssetService.scala."
}
],
"id": "CVE-2018-8909",
"lastModified": "2024-11-21T04:14:34.907",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-03-22T06:29:00.207",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.x41-dsec.de/reports/X41-Kudelski-Wire-Security-Review-Android.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.x41-dsec.de/reports/X41-Kudelski-Wire-Security-Review-Android.pdf"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-11-18 20:15
Modified
2025-04-30 14:15
Severity ?
4.7 (Medium) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
4.7 (Medium) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
4.7 (Medium) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
Wire through 3.22.3993 on Windows advertises deletion of sent messages; nonetheless, all messages can be retrieved (for a limited period of time) from the AppData\Roaming\Wire\IndexedDB\https_app.wire.com_0.indexeddb.leveldb database.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://wire.com/ | Product | |
| cve@mitre.org | https://www.secuvera.de/advisories/secuvera-SA-2022-01.txt | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wire.com/ | Product | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.secuvera.de/advisories/secuvera-SA-2022-01.txt | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wire:wire:*:*:*:*:*:windows:*:*",
"matchCriteriaId": "D38C5228-9745-40F1-8651-6609992C9547",
"versionEndIncluding": "3.22.3993",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Wire through 3.22.3993 on Windows advertises deletion of sent messages; nonetheless, all messages can be retrieved (for a limited period of time) from the AppData\\Roaming\\Wire\\IndexedDB\\https_app.wire.com_0.indexeddb.leveldb database."
},
{
"lang": "es",
"value": "La conexi\u00f3n hasta 3.22.3993 en Windows anuncia la eliminaci\u00f3n de mensajes enviados; no obstante, todos los mensajes se pueden recuperar (por un per\u00edodo de tiempo limitado) de la base de datos AppData\\Roaming\\Wire\\IndexedDB\\https_app.wire.com_0.indexeddb.leveldb."
}
],
"id": "CVE-2022-43673",
"lastModified": "2025-04-30T14:15:26.123",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.0,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.0,
"impactScore": 3.6,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2022-11-18T20:15:10.193",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://wire.com/"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.secuvera.de/advisories/secuvera-SA-2022-01.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://wire.com/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.secuvera.de/advisories/secuvera-SA-2022-01.txt"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-532"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-532"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-10-16 17:15
Modified
2024-11-21 05:05
Severity ?
8.0 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
8.0 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
8.0 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Summary
In Wire before 3.20.x, `shell.openExternal` was used without checking the URL. This vulnerability allows an attacker to execute code on the victims machine by sending messages containing links with arbitrary protocols. The victim has to interact with the link and sees the URL that is opened. The issue was patched by implementing a helper function which checks if the URL's protocol is common. If it is common, the URL will be opened externally. If not, the URL will not be opened and a warning appears for the user informing them that a probably insecure URL was blocked from being executed. The issue is patched in Wire 3.20.x. More technical details about exploitation are available in the linked advisory.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://benjamin-altpeter.de/shell-openexternal-dangers/ | Exploit, Third Party Advisory | |
| security-advisories@github.com | https://github.com/wireapp/wire-desktop/commit/b3705fffa75a03f055530f55a754face5ac0623b | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/wireapp/wire-desktop/security/advisories/GHSA-5gpx-9976-ggpm | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://benjamin-altpeter.de/shell-openexternal-dangers/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/wireapp/wire-desktop/commit/b3705fffa75a03f055530f55a754face5ac0623b | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/wireapp/wire-desktop/security/advisories/GHSA-5gpx-9976-ggpm | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wire:wire:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6848687A-01EF-42DF-A478-3DC588AA0E71",
"versionEndExcluding": "3.20.2934",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Wire before 3.20.x, `shell.openExternal` was used without checking the URL. This vulnerability allows an attacker to execute code on the victims machine by sending messages containing links with arbitrary protocols. The victim has to interact with the link and sees the URL that is opened. The issue was patched by implementing a helper function which checks if the URL\u0027s protocol is common. If it is common, the URL will be opened externally. If not, the URL will not be opened and a warning appears for the user informing them that a probably insecure URL was blocked from being executed. The issue is patched in Wire 3.20.x. More technical details about exploitation are available in the linked advisory."
},
{
"lang": "es",
"value": "En Wire versiones anteriores a 3.20.x, se usaba \"shell.openExternal\" sin comprobar la URL.\u0026#xa0;Esta vulnerabilidad permite a un atacante ejecutar c\u00f3digo en la m\u00e1quina de la v\u00edctima mediante el env\u00edo de mensajes que contienen enlaces con protocolos arbitrarios.\u0026#xa0;La v\u00edctima tiene que interactuar con el enlace y visualizar la URL que es abierta.\u0026#xa0;El problema fue parcheado mediante la implementaci\u00f3n de una funci\u00f3n auxiliar que comprueba si el protocolo de la URL es com\u00fan.\u0026#xa0;Si es com\u00fan, la URL ser\u00e1 abierta externamente.\u0026#xa0;De lo contrario, la URL no ser\u00e1 abierta y aparecer\u00e1 una advertencia para el usuario inform\u00e1ndole que fue probablemente una URL no segura fue bloqueada de ser ejecutada.\u0026#xa0;El problema est\u00e1 parcheado en Wire versiones 3.20.x.\u0026#xa0;M\u00e1s detalles t\u00e9cnicos sobre la explotaci\u00f3n est\u00e1n disponibles en el aviso vinculado"
}
],
"id": "CVE-2020-15258",
"lastModified": "2024-11-21T05:05:12.753",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.3,
"impactScore": 6.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-10-16T17:15:12.247",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://benjamin-altpeter.de/shell-openexternal-dangers/"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-desktop/commit/b3705fffa75a03f055530f55a754face5ac0623b"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-desktop/security/advisories/GHSA-5gpx-9976-ggpm"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://benjamin-altpeter.de/shell-openexternal-dangers/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-desktop/commit/b3705fffa75a03f055530f55a754face5ac0623b"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-desktop/security/advisories/GHSA-5gpx-9976-ggpm"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-10-04 19:15
Modified
2024-11-21 06:25
Severity ?
7.4 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Wire is an open source secure messenger. In affected versions if the an attacker gets an old but valid access token they can take over an account by changing the email. This issue has been resolved in version 3.86 which uses a new endpoint which additionally requires an authentication cookie. See wire-ios-sync-engine and wire-ios-transport references. This is the root advisory that pulls the changes together.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wire:wire:*:*:*:*:*:iphone_os:*:*",
"matchCriteriaId": "3CFFCDE1-A356-44F0-8BBB-2A1E6681620C",
"versionEndExcluding": "3.86",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Wire is an open source secure messenger. In affected versions if the an attacker gets an old but valid access token they can take over an account by changing the email. This issue has been resolved in version 3.86 which uses a new endpoint which additionally requires an authentication cookie. See wire-ios-sync-engine and wire-ios-transport references. This is the root advisory that pulls the changes together."
},
{
"lang": "es",
"value": "Wire es una mensajer\u00eda segura de c\u00f3digo abierto. En las versiones afectadas, si un atacante consigue un token de acceso antiguo pero v\u00e1lido, puede hacerse con una cuenta al cambiar el correo electr\u00f3nico. Este problema ha sido resuelto en la versi\u00f3n 3.86, que usa un nuevo endpoint que requiere adicionalmente una cookie de autenticaci\u00f3n. Ver las referencias wire-ios-sync-engine y wire-ios-transport. Este es el aviso root que re\u00fane los cambios"
}
],
"id": "CVE-2021-41093",
"lastModified": "2024-11-21T06:25:26.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 5.2,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-10-04T19:15:08.203",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Broken Link"
],
"url": "https://github.com/wireapp/wire-ios-sync-engine/security/advisories/GHSA-w727-5f74-49xj"
},
{
"source": "security-advisories@github.com",
"tags": [
"Broken Link"
],
"url": "https://github.com/wireapp/wire-ios-transport/security/advisories/GHSA-p354-6r3m-g4xr"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-ios/commit/b0e7bb3b13dd8212032cb46e32edf701694687c7"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-6f4c-phfj-m255"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-server/security/advisories/GHSA-9rm2-w6pq-333m"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "https://github.com/wireapp/wire-ios-sync-engine/security/advisories/GHSA-w727-5f74-49xj"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "https://github.com/wireapp/wire-ios-transport/security/advisories/GHSA-p354-6r3m-g4xr"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-ios/commit/b0e7bb3b13dd8212032cb46e32edf701694687c7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-6f4c-phfj-m255"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-server/security/advisories/GHSA-9rm2-w6pq-333m"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-285"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-06-03 21:15
Modified
2024-11-21 06:07
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Summary
wire-ios is the iOS version of Wire, an open-source secure messaging app. wire-ios versions 3.8.0 and earlier have a bug in which a conversation could be incorrectly set to "unverified. This occurs when: - Self user is added to a new conversation - Self user is added to an existing conversation - All the participants in the conversation were previously marked as verified. The vulnerability is patched in wire-ios version 3.8.1. As a workaround, one can unverify & verify a device in the conversation.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/wireapp/wire-ios-data-model/commit/bf9db85886b12a20c8374f55b7c4a610e8ae9220 | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/wireapp/wire-ios/security/advisories/GHSA-mc65-7w99-c6qv | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/wireapp/wire-ios-data-model/commit/bf9db85886b12a20c8374f55b7c4a610e8ae9220 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/wireapp/wire-ios/security/advisories/GHSA-mc65-7w99-c6qv | Patch, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wire:wire:*:*:*:*:*:iphone_os:*:*",
"matchCriteriaId": "2DD070A1-55C9-4B0A-85F1-DA8C996520FE",
"versionEndExcluding": "3.81",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "wire-ios is the iOS version of Wire, an open-source secure messaging app. wire-ios versions 3.8.0 and earlier have a bug in which a conversation could be incorrectly set to \"unverified. This occurs when: - Self user is added to a new conversation - Self user is added to an existing conversation - All the participants in the conversation were previously marked as verified. The vulnerability is patched in wire-ios version 3.8.1. As a workaround, one can unverify \u0026 verify a device in the conversation."
},
{
"lang": "es",
"value": "wire-ios es la versi\u00f3n para iOS de Wire, una aplicaci\u00f3n de mensajer\u00eda segura de c\u00f3digo abierto. Las versiones 3.8.0 y anteriores de wire-ios tienen un bug en el que una conversaci\u00f3n podr\u00eda ser incorrectamente establecida como \"no verificada\". Esto ocurre cuando: - Se a\u00f1ade un usuario propio a una nueva conversaci\u00f3n - Es a\u00f1adido un usuario propio a una conversaci\u00f3n existente - Todos los participantes en la conversaci\u00f3n estaban previamente marcados como verificados. La vulnerabilidad est\u00e1 parcheada en wire-ios versi\u00f3n 3.8.1. Como soluci\u00f3n, se puede desverificar y verificar un dispositivo en la conversaci\u00f3n"
}
],
"id": "CVE-2021-32665",
"lastModified": "2024-11-21T06:07:29.323",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-06-03T21:15:07.997",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-ios-data-model/commit/bf9db85886b12a20c8374f55b7c4a610e8ae9220"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-mc65-7w99-c6qv"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-ios-data-model/commit/bf9db85886b12a20c8374f55b7c4a610e8ae9220"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-mc65-7w99-c6qv"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-345"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-10-04 19:15
Modified
2024-11-21 06:25
Severity ?
4.2 (Medium) - CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N
4.6 (Medium) - CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.6 (Medium) - CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Wire is an open source secure messenger. Users of Wire by Bund may bypass the mandatory encryption at rest feature by simply disabling their device passcode. Upon launching, the app will attempt to enable encryption at rest by generating encryption keys via the Secure Enclave, however it will fail silently if no device passcode is set. The user has no indication that encryption at rest is not active since the feature is hidden to them. This issue has been resolved in version 3.70
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wire:wire:*:*:*:*:*:iphone_os:*:*",
"matchCriteriaId": "406E9C9E-C863-4786-8E78-BA2DDE01FAAE",
"versionEndExcluding": "3.70",
"versionStartIncluding": "3.68",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Wire is an open source secure messenger. Users of Wire by Bund may bypass the mandatory encryption at rest feature by simply disabling their device passcode. Upon launching, the app will attempt to enable encryption at rest by generating encryption keys via the Secure Enclave, however it will fail silently if no device passcode is set. The user has no indication that encryption at rest is not active since the feature is hidden to them. This issue has been resolved in version 3.70"
},
{
"lang": "es",
"value": "Wire es una mensajer\u00eda segura de c\u00f3digo abierto. Los usuarios de Wire by Bund pueden omitir la funcionalidad mandatory encryption at rest simplemente deshabilitando el c\u00f3digo de acceso de su dispositivo. Al iniciarse, la aplicaci\u00f3n intentar\u00e1 habilitar el cifrado en reposo al generar claves de cifrado por medio del Enclave Seguro, pero fallar\u00e1 silenciosamente si no se ha establecido un c\u00f3digo de acceso en el dispositivo. El usuario no presenta ninguna indicaci\u00f3n de que el cifrado en reposo no est\u00e1 activo, ya que la funcionalidad est\u00e1 oculta para \u00e9l. Este problema ha sido resuelto en la versi\u00f3n 3.70"
}
],
"id": "CVE-2021-41094",
"lastModified": "2024-11-21T06:25:27.123",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 2.1,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 0.6,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 0.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-10-04T19:15:08.377",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-ios/commit/5ba3eb180efc3fc795d095f9c84ae7f109b84746"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-h4m7-pr8h-j7rf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-ios/commit/5ba3eb180efc3fc795d095f9c84ae7f109b84746"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-h4m7-pr8h-j7rf"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-668"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-10-27 18:15
Modified
2024-11-21 05:21
Severity ?
Summary
Wire before 2020-10-16 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a format string. This affects Wire AVS (Audio, Video, and Signaling) 5.3 through 6.x before 6.4, the Wire Secure Messenger application before 3.49.918 for Android, and the Wire Secure Messenger application before 3.61 for iOS. This occurs via the value parameter to sdp_media_set_lattr in peerflow/sdp.c.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://github.security.telekom.com/2020/11/wire-secure-messenger-format-string-vulnerability.html | Exploit, Third Party Advisory | |
| cve@mitre.org | https://github.com/wireapp/wire-audio-video-signaling/issues/23#issuecomment-710075689 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://github.security.telekom.com/2020/11/wire-secure-messenger-format-string-vulnerability.html | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/wireapp/wire-audio-video-signaling/issues/23#issuecomment-710075689 | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wire | wire | * | |
| wire | wire | * | |
| wire | wire | * | |
| wire | wire_-_audio\,_video\,_and_signaling | * | |
| wire | wire_secure_messenger | * | |
| wire | wire_secure_messenger | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wire:wire:*:*:*:*:*:linux:*:*",
"matchCriteriaId": "CA9D04BA-6B65-40EE-97B0-737A3AF71FF1",
"versionEndExcluding": "3.21.2936",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wire:wire:*:*:*:*:*:windows:*:*",
"matchCriteriaId": "D52F6D1D-B802-41E3-8FFB-FD540CD4DAC4",
"versionEndExcluding": "3.21.3932",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wire:wire:*:*:*:*:*:macos:*:*",
"matchCriteriaId": "5460A223-65D5-4907-BF1B-CE4FF9D0B5BE",
"versionEndExcluding": "3.21.3959",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wire:wire_-_audio\\,_video\\,_and_signaling:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BDC2FBAD-91E2-4359-8C93-E6162D56B184",
"versionEndExcluding": "6.4",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wire:wire_secure_messenger:*:*:*:*:*:android:*:*",
"matchCriteriaId": "07C4E54F-0E4D-40DF-B2B4-435BB307F92A",
"versionEndExcluding": "3.49.918",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wire:wire_secure_messenger:*:*:*:*:*:iphone_os:*:*",
"matchCriteriaId": "3A280934-8655-4A82-9595-8F1B3D1036ED",
"versionEndExcluding": "3.61",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Wire before 2020-10-16 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a format string. This affects Wire AVS (Audio, Video, and Signaling) 5.3 through 6.x before 6.4, the Wire Secure Messenger application before 3.49.918 for Android, and the Wire Secure Messenger application before 3.61 for iOS. This occurs via the value parameter to sdp_media_set_lattr in peerflow/sdp.c."
},
{
"lang": "es",
"value": "Wire antes de 16-10-2020, permite a atacantes remotos causar una denegaci\u00f3n de servicio (bloqueo de aplicaci\u00f3n) o posiblemente ejecutar c\u00f3digo arbitrario por medio de una cadena de formato.\u0026#xa0;Esto afecta a Wire AVS (Audio, Video, y Signaling) versiones 5.3 hasta 6.x anteriores a 6.4, la aplicaci\u00f3n Wire Secure Messenger versiones anteriores a 3.49.918 para Android y la aplicaci\u00f3n Wire Secure Messenger versiones anteriores a 3.61 para iOS.\u0026#xa0;Esto ocurre por medio del par\u00e1metro value en la funci\u00f3n sdp_media_set_lattr en el archivo peerflow/sdp.c."
}
],
"id": "CVE-2020-27853",
"lastModified": "2024-11-21T05:21:56.270",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-10-27T18:15:12.620",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://github.security.telekom.com/2020/11/wire-secure-messenger-format-string-vulnerability.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-audio-video-signaling/issues/23#issuecomment-710075689"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://github.security.telekom.com/2020/11/wire-secure-messenger-format-string-vulnerability.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-audio-video-signaling/issues/23#issuecomment-710075689"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-134"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-06-23 07:15
Modified
2024-11-21 07:03
Severity ?
5.7 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
wire-ios is an iOS client for the Wire secure messaging application. Invalid accent colors of Wire communication partners may render the iOS Wire Client partially unusable by causing it to crash multiple times on launch. These invalid accent colors can be used by and sent between Wire users. The root cause was an unnecessary assert statement when converting an integer value into the corresponding enum value, causing an exception instead of a fallback to a default value. This issue is fixed in [wire-ios](https://github.com/wireapp/wire-ios/commit/caa0e27dbe51f9edfda8c7a9f017d93b8cfddefb) and in Wire for iOS 3.100. There is no workaround available, but users may use other Wire clients (such as the [web app](https://app.wire.com)) to continue using Wire, or upgrade their client.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wire:wire:*:*:*:*:*:iphone_os:*:*",
"matchCriteriaId": "EE5B3BFC-EC98-48AF-A866-2E3E463AAC7F",
"versionEndExcluding": "3.100",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "wire-ios is an iOS client for the Wire secure messaging application. Invalid accent colors of Wire communication partners may render the iOS Wire Client partially unusable by causing it to crash multiple times on launch. These invalid accent colors can be used by and sent between Wire users. The root cause was an unnecessary assert statement when converting an integer value into the corresponding enum value, causing an exception instead of a fallback to a default value. This issue is fixed in [wire-ios](https://github.com/wireapp/wire-ios/commit/caa0e27dbe51f9edfda8c7a9f017d93b8cfddefb) and in Wire for iOS 3.100. There is no workaround available, but users may use other Wire clients (such as the [web app](https://app.wire.com)) to continue using Wire, or upgrade their client."
},
{
"lang": "es",
"value": "wire-ios es un cliente iOS para la aplicaci\u00f3n de mensajer\u00eda segura Wire. Los colores de acento no v\u00e1lidos de los interlocutores de comunicaci\u00f3n de Wire pueden hacer que el cliente de Wire para iOS sea parcialmente inusable al hacer que sea bloqueado varias veces al iniciarse. Estos colores de acento no v\u00e1lidos pueden ser usados por los usuarios de Wire y enviados entre ellos. La causa principal era una sentencia assert innecesaria al convertir un valor entero en el valor enum correspondiente, causando una excepci\u00f3n en lugar de un retorno a un valor por defecto. Este problema ha sido corregido en [wire-ios](https://github.com/wireapp/wire-ios/commit/caa0e27dbe51f9edfda8c7a9f017d93b8cfddefb) y en Wire para iOS versi\u00f3n 3.100. No se presenta ninguna mitigaci\u00f3n soluci\u00f3n disponible, pero los usuarios pueden usar otros clientes de Wire (como la [aplicaci\u00f3n web](https://app.wire.com)) para seguir usando Wire, o actualizar su cliente"
}
],
"id": "CVE-2022-31009",
"lastModified": "2024-11-21T07:03:42.460",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-06-23T07:15:07.257",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-ios/commit/caa0e27dbe51f9edfda8c7a9f017d93b8cfddefb"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-83m6-p7x5-925j"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-ios/commit/caa0e27dbe51f9edfda8c7a9f017d93b8cfddefb"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-83m6-p7x5-925j"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-617"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-06-03 22:15
Modified
2024-11-21 06:07
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
wire-ios is the iOS version of Wire, an open-source secure messaging app. In wire-ios versions 3.8.0 and prior, a vulnerability exists that can cause a denial of service between users. If a user has an invalid assetID for their profile picture and it contains the " character, it will cause the iOS client to crash. The vulnerability is patched in wire-ios version 3.8.1.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/wireapp/wire-ios-data-model/commit/35af3f632085f51a2ce7f608fdaeffd1a69ad89f | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/wireapp/wire-ios/security/advisories/GHSA-2x9x-vh27-h4rv | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/wireapp/wire-ios-data-model/commit/35af3f632085f51a2ce7f608fdaeffd1a69ad89f | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/wireapp/wire-ios/security/advisories/GHSA-2x9x-vh27-h4rv | Patch, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wire:wire:*:*:*:*:*:iphone_os:*:*",
"matchCriteriaId": "2DD070A1-55C9-4B0A-85F1-DA8C996520FE",
"versionEndExcluding": "3.81",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "wire-ios is the iOS version of Wire, an open-source secure messaging app. In wire-ios versions 3.8.0 and prior, a vulnerability exists that can cause a denial of service between users. If a user has an invalid assetID for their profile picture and it contains the \" character, it will cause the iOS client to crash. The vulnerability is patched in wire-ios version 3.8.1."
},
{
"lang": "es",
"value": "wire-ios es la versi\u00f3n para iOS de Wire, una aplicaci\u00f3n de mensajer\u00eda segura de c\u00f3digo abierto. En wire-ios, versiones 3.8.0 y anteriores se presenta una vulnerabilidad que puede causar una denegaci\u00f3n de servicio entre usuarios. Si un usuario tiene un assetID no v\u00e1lido para su foto de perfil y contiene el car\u00e1cter \", causar\u00e1 que el cliente de iOS se bloquee. La vulnerabilidad est\u00e1 parcheada en la versi\u00f3n 3.8.1 de wire-ios"
}
],
"id": "CVE-2021-32666",
"lastModified": "2024-11-21T06:07:29.430",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-06-03T22:15:08.067",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-ios-data-model/commit/35af3f632085f51a2ce7f608fdaeffd1a69ad89f"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-2x9x-vh27-h4rv"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-ios-data-model/commit/35af3f632085f51a2ce7f608fdaeffd1a69ad89f"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-2x9x-vh27-h4rv"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-03-11 18:15
Modified
2024-11-21 06:48
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
Wire-ios is a messaging application using the wire protocol on apple's ios platform. In versions prior to 3.95 malformed resource identifiers may render the iOS Wire Client completely unusable by causing it to repeatedly crash on launch. These malformed resource identifiers can be generated and sent between Wire users. The root cause lies in [wireapp/wire-ios-transport](https://github.com/wireapp/wire-ios-transport), where code responsible for removing sensible tokens before logging may fail and lead to a crash (Swift exception) of the application. This causes undesirable behavior, however the (greater) Wire system is still functional. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wire | wire | * | |
| wire | wire-ios-transport | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wire:wire:*:*:*:*:*:iphone_os:*:*",
"matchCriteriaId": "8676CA54-328C-4C00-8EF8-DD54BF8712E2",
"versionEndExcluding": "3.95",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wire:wire-ios-transport:*:*:*:*:*:iphone_os:*:*",
"matchCriteriaId": "4D57B655-B6AF-481B-8B58-425F1561722D",
"versionEndExcluding": "84.1.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Wire-ios is a messaging application using the wire protocol on apple\u0027s ios platform. In versions prior to 3.95 malformed resource identifiers may render the iOS Wire Client completely unusable by causing it to repeatedly crash on launch. These malformed resource identifiers can be generated and sent between Wire users. The root cause lies in [wireapp/wire-ios-transport](https://github.com/wireapp/wire-ios-transport), where code responsible for removing sensible tokens before logging may fail and lead to a crash (Swift exception) of the application. This causes undesirable behavior, however the (greater) Wire system is still functional. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue."
},
{
"lang": "es",
"value": "Wire-ios es una aplicaci\u00f3n de mensajer\u00eda que usando el protocolo wire en la plataforma ios de apple. En versiones anteriores a 3.95, los identificadores de recursos malformados pueden hacer que el cliente Wire de iOS sea completamente inusable al causar que sea bloqueado repetidamente al iniciarse. Estos identificadores de recursos malformados pueden ser generados y enviados entre usuarios de Wire. La causa root es encontrada en [wireapp/wire-ios-transport](https://github.com/wireapp/wire-ios-transport), donde el c\u00f3digo responsable de eliminar los tokens confidenciales antes del registro puede fallar y conllevar a un fallo (excepci\u00f3n Swift) de la aplicaci\u00f3n. Esto causa un comportamiento no deseable, sin embargo el sistema Wire (mayor) sigue siendo funcional. Es recomendado a usuarios actualizar lo antes posible. No se presentan medidas de mitigaci\u00f3n conocidas para este problema"
}
],
"id": "CVE-2022-23625",
"lastModified": "2024-11-21T06:48:57.743",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-03-11T18:15:31.493",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-ios-transport/commit/02e90aa45edaf7eb2d8b97fa2377cd8104274170"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-ios-transport/security/advisories/GHSA-3xvh-x964-572h"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-rq36-8qfp-79mc"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-ios-transport/commit/02e90aa45edaf7eb2d8b97fa2377cd8104274170"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-ios-transport/security/advisories/GHSA-3xvh-x964-572h"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/wireapp/wire-ios/security/advisories/GHSA-rq36-8qfp-79mc"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-755"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-755"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}