CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-22737 – wire-server vulnerable to unauthorized removal of Bots from Conversations
https://notcve.org/view.php?id=CVE-2023-22737
wire-server provides back end services for Wire, a team communication and collaboration platform. Prior to version 2022-12-09, every member of a Conversation can remove a Bot from a Conversation due to a missing permissions check. Only Conversation admins should be able to remove Bots. Regular Conversations are not allowed to do so. The issue is fixed in wire-server 2022-12-09 and is already deployed on all Wire managed services. • https://github.com/wireapp/wire-server/commit/494a6881f5895d4ed9e5d011455242be0d5e6223 https://github.com/wireapp/wire-server/pull/2870 https://github.com/wireapp/wire-server/releases/tag/v2022-12-09 https://github.com/wireapp/wire-server/security/advisories/GHSA-xmjc-c6w3-pcp4 • CWE-280: Improper Handling of Insufficient Permissions or Privileges CWE-862: Missing Authorization •
CVSS: 4.7EPSS: 0%CPEs: 1EXPL: 1CVE-2022-43673
https://notcve.org/view.php?id=CVE-2022-43673
Wire through 3.22.3993 on Windows advertises deletion of sent messages; nonetheless, all messages can be retrieved (for a limited period of time) from the AppData\Roaming\Wire\IndexedDB\https_app.wire.com_0.indexeddb.leveldb database. La conexión hasta 3.22.3993 en Windows anuncia la eliminación de mensajes enviados; no obstante, todos los mensajes se pueden recuperar (por un período de tiempo limitado) de la base de datos AppData\Roaming\Wire\IndexedDB\https_app.wire.com_0.indexeddb.leveldb. • https://wire.com https://www.secuvera.de/advisories/secuvera-SA-2022-01.txt • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-31009 – DoS vulnerability: Invalid Accent Colors
https://notcve.org/view.php?id=CVE-2022-31009
wire-ios is an iOS client for the Wire secure messaging application. Invalid accent colors of Wire communication partners may render the iOS Wire Client partially unusable by causing it to crash multiple times on launch. These invalid accent colors can be used by and sent between Wire users. The root cause was an unnecessary assert statement when converting an integer value into the corresponding enum value, causing an exception instead of a fallback to a default value. This issue is fixed in [wire-ios](https://github.com/wireapp/wire-ios/commit/caa0e27dbe51f9edfda8c7a9f017d93b8cfddefb) and in Wire for iOS 3.100. • https://github.com/wireapp/wire-ios/commit/caa0e27dbe51f9edfda8c7a9f017d93b8cfddefb https://github.com/wireapp/wire-ios/security/advisories/GHSA-83m6-p7x5-925j • CWE-617: Reachable Assertion •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-23625 – DoS vulnerability: Malformed Resource Identifiers
https://notcve.org/view.php?id=CVE-2022-23625
Wire-ios is a messaging application using the wire protocol on apple's ios platform. In versions prior to 3.95 malformed resource identifiers may render the iOS Wire Client completely unusable by causing it to repeatedly crash on launch. These malformed resource identifiers can be generated and sent between Wire users. The root cause lies in [wireapp/wire-ios-transport](https://github.com/wireapp/wire-ios-transport), where code responsible for removing sensible tokens before logging may fail and lead to a crash (Swift exception) of the application. This causes undesirable behavior, however the (greater) Wire system is still functional. • https://github.com/wireapp/wire-ios-transport/commit/02e90aa45edaf7eb2d8b97fa2377cd8104274170 https://github.com/wireapp/wire-ios-transport/security/advisories/GHSA-3xvh-x964-572h https://github.com/wireapp/wire-ios/security/advisories/GHSA-rq36-8qfp-79mc • CWE-755: Improper Handling of Exceptional Conditions •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-41093 – Account takeover when having only access to a user's short lived token
https://notcve.org/view.php?id=CVE-2021-41093
Wire is an open source secure messenger. In affected versions if the an attacker gets an old but valid access token they can take over an account by changing the email. This issue has been resolved in version 3.86 which uses a new endpoint which additionally requires an authentication cookie. See wire-ios-sync-engine and wire-ios-transport references. This is the root advisory that pulls the changes together. • https://github.com/wireapp/wire-ios-sync-engine/security/advisories/GHSA-w727-5f74-49xj https://github.com/wireapp/wire-ios-transport/security/advisories/GHSA-p354-6r3m-g4xr https://github.com/wireapp/wire-ios/commit/b0e7bb3b13dd8212032cb46e32edf701694687c7 https://github.com/wireapp/wire-ios/security/advisories/GHSA-6f4c-phfj-m255 https://github.com/wireapp/wire-server/security/advisories/GHSA-9rm2-w6pq-333m • CWE-285: Improper Authorization CWE-863: Incorrect Authorization •