CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2021-32755 – Certificate pinning is not enforced on the web socket connection
https://notcve.org/view.php?id=CVE-2021-32755
Wire is a collaboration platform. wire-ios-transport handles authentication of requests, network failures, and retries for the iOS implementation of Wire. In the 3.82 version of the iOS application, a new web socket implementation was introduced for users running iOS 13 or higher. This new websocket implementation is not configured to enforce certificate pinning when available. Certificate pinning for the new websocket is enforced in version 3.84 or above. Wire es una plataforma de colaboración. wire-ios-transport maneja la autenticación de peticiones, los fallos de red y los reintentos para la implementación de Wire en iOS. • https://github.com/wireapp/wire-ios-transport/security/advisories/GHSA-v8mx-h3vj-w39v • CWE-295: Improper Certificate Validation •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-32666 – Asset DoS vulnerability
https://notcve.org/view.php?id=CVE-2021-32666
wire-ios is the iOS version of Wire, an open-source secure messaging app. In wire-ios versions 3.8.0 and prior, a vulnerability exists that can cause a denial of service between users. If a user has an invalid assetID for their profile picture and it contains the " character, it will cause the iOS client to crash. The vulnerability is patched in wire-ios version 3.8.1. wire-ios es la versión para iOS de Wire, una aplicación de mensajería segura de código abierto. En wire-ios, versiones 3.8.0 y anteriores se presenta una vulnerabilidad que puede causar una denegación de servicio entre usuarios. • https://github.com/wireapp/wire-ios-data-model/commit/35af3f632085f51a2ce7f608fdaeffd1a69ad89f https://github.com/wireapp/wire-ios/security/advisories/GHSA-2x9x-vh27-h4rv • CWE-20: Improper Input Validation •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-32665 – Verified groups not reliable
https://notcve.org/view.php?id=CVE-2021-32665
wire-ios is the iOS version of Wire, an open-source secure messaging app. wire-ios versions 3.8.0 and earlier have a bug in which a conversation could be incorrectly set to "unverified. This occurs when: - Self user is added to a new conversation - Self user is added to an existing conversation - All the participants in the conversation were previously marked as verified. The vulnerability is patched in wire-ios version 3.8.1. As a workaround, one can unverify & verify a device in the conversation. wire-ios es la versión para iOS de Wire, una aplicación de mensajería segura de código abierto. Las versiones 3.8.0 y anteriores de wire-ios tienen un bug en el que una conversación podría ser incorrectamente establecida como "no verificada". • https://github.com/wireapp/wire-ios-data-model/commit/bf9db85886b12a20c8374f55b7c4a610e8ae9220 https://github.com/wireapp/wire-ios/security/advisories/GHSA-mc65-7w99-c6qv • CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-21301 – Video feed was captured while user has disabled video
https://notcve.org/view.php?id=CVE-2021-21301
Wire is an open-source collaboration platform. In Wire for iOS (iPhone and iPad) before version 3.75 there is a vulnerability where the video capture isn't stopped in a scenario where a user first has their camera enabled and then disables it. It's a privacy issue because video is streamed to the call when the user believes it is disabled. It impacts all users in video calls. This is fixed in version 3.75. • https://github.com/wireapp/wire-ios/commit/7e3c30120066c9b10e50cc0d20012d0849c33a40 https://github.com/wireapp/wire-ios/pull/4879 https://github.com/wireapp/wire-ios/security/advisories/GHSA-7fg4-x8vj-qvxf • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2018-8909
https://notcve.org/view.php?id=CVE-2018-8909
The Wire application before 2018-03-07 for Android allows attackers to write to pathnames outside of the downloads directory via a ../ in a filename of a received file, related to AssetService.scala. La aplicación Wire, en versiones anteriores a 2018-03-07 para Android, permite que atacantes escriban en nombres de ruta fuera del directorio de descargas mediante un ../ en el nombre de archivo de un archivo recibido. Esto se relaciona con AssetService.scala. • https://www.x41-dsec.de/reports/X41-Kudelski-Wire-Security-Review-Android.pdf • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •