CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-41093 – Account takeover when having only access to a user's short lived token
https://notcve.org/view.php?id=CVE-2021-41093
Wire is an open source secure messenger. In affected versions if the an attacker gets an old but valid access token they can take over an account by changing the email. This issue has been resolved in version 3.86 which uses a new endpoint which additionally requires an authentication cookie. See wire-ios-sync-engine and wire-ios-transport references. This is the root advisory that pulls the changes together. • https://github.com/wireapp/wire-ios-sync-engine/security/advisories/GHSA-w727-5f74-49xj https://github.com/wireapp/wire-ios-transport/security/advisories/GHSA-p354-6r3m-g4xr https://github.com/wireapp/wire-ios/commit/b0e7bb3b13dd8212032cb46e32edf701694687c7 https://github.com/wireapp/wire-ios/security/advisories/GHSA-6f4c-phfj-m255 https://github.com/wireapp/wire-server/security/advisories/GHSA-9rm2-w6pq-333m • CWE-285: Improper Authorization CWE-863: Incorrect Authorization •
CVSS: 5.7EPSS: 0%CPEs: 1EXPL: 0CVE-2021-41101 – CORS `Access-Control-Allow-Origin` settings are too lenient
https://notcve.org/view.php?id=CVE-2021-41101
wire-server is an open-source back end for Wire, a secure collaboration platform. Before version 2.106.0, the CORS ` Access-Control-Allow-Origin ` header set by `nginz` is set for all subdomains of `.wire.com` (including `wire.com`). This means that if somebody were to find an XSS vector in any of the subdomains, they could use it to talk to the Wire API using the user's Cookie. A patch does not exist, but a workaround does. To make sure that a compromise of one subdomain does not yield access to the cookie of another, one may limit the `Access-Control-Allow-Origin` header to apps that actually require the cookie (account-pages, team-settings and the webapp). wire-server es un back end de código abierto para Wire, una plataforma de colaboración segura. • https://github.com/wireapp/wire-server/security/advisories/GHSA-v7xx-cx8m-g66p • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2021-32755 – Certificate pinning is not enforced on the web socket connection
https://notcve.org/view.php?id=CVE-2021-32755
Wire is a collaboration platform. wire-ios-transport handles authentication of requests, network failures, and retries for the iOS implementation of Wire. In the 3.82 version of the iOS application, a new web socket implementation was introduced for users running iOS 13 or higher. This new websocket implementation is not configured to enforce certificate pinning when available. Certificate pinning for the new websocket is enforced in version 3.84 or above. Wire es una plataforma de colaboración. wire-ios-transport maneja la autenticación de peticiones, los fallos de red y los reintentos para la implementación de Wire en iOS. • https://github.com/wireapp/wire-ios-transport/security/advisories/GHSA-v8mx-h3vj-w39v • CWE-295: Improper Certificate Validation •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-32683 – XSS through createObjectURL
https://notcve.org/view.php?id=CVE-2021-32683
wire-webapp is the web version of Wire, an open-source messenger. A cross-site scripting vulnerability exists in wire-webapp prior to version 2021-06-01-production.0. If a user is instructed to open an image in a new tab (right click -> open in new tab, or copy the URL and paste it in the URL bar), an the image payload is executed on the domain hosting the app (app.wire.com). In particular, if an image contains malicious code in addition to the actual picture, this code is executed on app.wire.com. This allows the attacker to fully control the user account. • https://github.com/wireapp/wire-webapp/commit/056e39d327bb10c1b0958dfbea0c39752692a1b0 https://github.com/wireapp/wire-webapp/security/advisories/GHSA-382j-mmc8-m5rw • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.6EPSS: 0%CPEs: 1EXPL: 4CVE-2021-21382 – Unsafe loopback forwarding interface in Restund
https://notcve.org/view.php?id=CVE-2021-21382
Restund is an open source NAT traversal server. The restund TURN server can be instructed to open a relay to the loopback address range. This allows you to reach any other service running on localhost which you might consider private. In the configuration that we ship (https://github.com/wireapp/ansible-restund/blob/master/templates/restund.conf.j2#L40-L43) the `status` interface of restund is enabled and is listening on `127.0.0.1`.The `status` interface allows users to issue administrative commands to `restund` like listing open relays or draining connections. It would be possible for an attacker to contact the status interface and issue administrative commands by setting `XOR-PEER-ADDRESS` to `127.0.0.1:{{restund_udp_status_port}}` when opening a TURN channel. • https://docs.wire.com/understand/restund.html https://github.com/coturn/coturn/security/advisories/GHSA-6g6j-r9rf-cm7p https://github.com/wireapp/ansible-restund/blob/master/templates/restund.conf.j2#L40-L43 https://github.com/wireapp/restund/pull/7 https://github.com/wireapp/restund/security/advisories/GHSA-96j5-w9jq-pv2x https://talosintelligence.com/vulnerability_reports/TALOS-2018-0732 https://www.rtcsec.com/post/2021/01/details-about-cve-2020-26262-bypass-of-coturns-default-access-control- • CWE-668: Exposure of Resource to Wrong Sphere CWE-862: Missing Authorization •