CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-22737 – wire-server vulnerable to unauthorized removal of Bots from Conversations
https://notcve.org/view.php?id=CVE-2023-22737
wire-server provides back end services for Wire, a team communication and collaboration platform. Prior to version 2022-12-09, every member of a Conversation can remove a Bot from a Conversation due to a missing permissions check. Only Conversation admins should be able to remove Bots. Regular Conversations are not allowed to do so. The issue is fixed in wire-server 2022-12-09 and is already deployed on all Wire managed services. • https://github.com/wireapp/wire-server/commit/494a6881f5895d4ed9e5d011455242be0d5e6223 https://github.com/wireapp/wire-server/pull/2870 https://github.com/wireapp/wire-server/releases/tag/v2022-12-09 https://github.com/wireapp/wire-server/security/advisories/GHSA-xmjc-c6w3-pcp4 • CWE-280: Improper Handling of Insufficient Permissions or Privileges CWE-862: Missing Authorization •
CVSS: 4.7EPSS: 0%CPEs: 1EXPL: 1CVE-2022-43673
https://notcve.org/view.php?id=CVE-2022-43673
Wire through 3.22.3993 on Windows advertises deletion of sent messages; nonetheless, all messages can be retrieved (for a limited period of time) from the AppData\Roaming\Wire\IndexedDB\https_app.wire.com_0.indexeddb.leveldb database. La conexión hasta 3.22.3993 en Windows anuncia la eliminación de mensajes enviados; no obstante, todos los mensajes se pueden recuperar (por un período de tiempo limitado) de la base de datos AppData\Roaming\Wire\IndexedDB\https_app.wire.com_0.indexeddb.leveldb. • https://wire.com https://www.secuvera.de/advisories/secuvera-SA-2022-01.txt • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-31009 – DoS vulnerability: Invalid Accent Colors
https://notcve.org/view.php?id=CVE-2022-31009
wire-ios is an iOS client for the Wire secure messaging application. Invalid accent colors of Wire communication partners may render the iOS Wire Client partially unusable by causing it to crash multiple times on launch. These invalid accent colors can be used by and sent between Wire users. The root cause was an unnecessary assert statement when converting an integer value into the corresponding enum value, causing an exception instead of a fallback to a default value. This issue is fixed in [wire-ios](https://github.com/wireapp/wire-ios/commit/caa0e27dbe51f9edfda8c7a9f017d93b8cfddefb) and in Wire for iOS 3.100. • https://github.com/wireapp/wire-ios/commit/caa0e27dbe51f9edfda8c7a9f017d93b8cfddefb https://github.com/wireapp/wire-ios/security/advisories/GHSA-83m6-p7x5-925j • CWE-617: Reachable Assertion •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-23625 – DoS vulnerability: Malformed Resource Identifiers
https://notcve.org/view.php?id=CVE-2022-23625
Wire-ios is a messaging application using the wire protocol on apple's ios platform. In versions prior to 3.95 malformed resource identifiers may render the iOS Wire Client completely unusable by causing it to repeatedly crash on launch. These malformed resource identifiers can be generated and sent between Wire users. The root cause lies in [wireapp/wire-ios-transport](https://github.com/wireapp/wire-ios-transport), where code responsible for removing sensible tokens before logging may fail and lead to a crash (Swift exception) of the application. This causes undesirable behavior, however the (greater) Wire system is still functional. • https://github.com/wireapp/wire-ios-transport/commit/02e90aa45edaf7eb2d8b97fa2377cd8104274170 https://github.com/wireapp/wire-ios-transport/security/advisories/GHSA-3xvh-x964-572h https://github.com/wireapp/wire-ios/security/advisories/GHSA-rq36-8qfp-79mc • CWE-755: Improper Handling of Exceptional Conditions •
CVSS: 4.6EPSS: 0%CPEs: 1EXPL: 0CVE-2021-41094 – Mandatory encryption at rest can be bypassed (UI) in Wire app
https://notcve.org/view.php?id=CVE-2021-41094
Wire is an open source secure messenger. Users of Wire by Bund may bypass the mandatory encryption at rest feature by simply disabling their device passcode. Upon launching, the app will attempt to enable encryption at rest by generating encryption keys via the Secure Enclave, however it will fail silently if no device passcode is set. The user has no indication that encryption at rest is not active since the feature is hidden to them. This issue has been resolved in version 3.70 Wire es una mensajería segura de código abierto. • https://github.com/wireapp/wire-ios/commit/5ba3eb180efc3fc795d095f9c84ae7f109b84746 https://github.com/wireapp/wire-ios/security/advisories/GHSA-h4m7-pr8h-j7rf • CWE-668: Exposure of Resource to Wrong Sphere •