CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-32666 – Asset DoS vulnerability
https://notcve.org/view.php?id=CVE-2021-32666
wire-ios is the iOS version of Wire, an open-source secure messaging app. In wire-ios versions 3.8.0 and prior, a vulnerability exists that can cause a denial of service between users. If a user has an invalid assetID for their profile picture and it contains the " character, it will cause the iOS client to crash. The vulnerability is patched in wire-ios version 3.8.1. wire-ios es la versión para iOS de Wire, una aplicación de mensajería segura de código abierto. En wire-ios, versiones 3.8.0 y anteriores se presenta una vulnerabilidad que puede causar una denegación de servicio entre usuarios. • https://github.com/wireapp/wire-ios-data-model/commit/35af3f632085f51a2ce7f608fdaeffd1a69ad89f https://github.com/wireapp/wire-ios/security/advisories/GHSA-2x9x-vh27-h4rv • CWE-20: Improper Input Validation •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-32665 – Verified groups not reliable
https://notcve.org/view.php?id=CVE-2021-32665
wire-ios is the iOS version of Wire, an open-source secure messaging app. wire-ios versions 3.8.0 and earlier have a bug in which a conversation could be incorrectly set to "unverified. This occurs when: - Self user is added to a new conversation - Self user is added to an existing conversation - All the participants in the conversation were previously marked as verified. The vulnerability is patched in wire-ios version 3.8.1. As a workaround, one can unverify & verify a device in the conversation. wire-ios es la versión para iOS de Wire, una aplicación de mensajería segura de código abierto. Las versiones 3.8.0 y anteriores de wire-ios tienen un bug en el que una conversación podría ser incorrectamente establecida como "no verificada". • https://github.com/wireapp/wire-ios-data-model/commit/bf9db85886b12a20c8374f55b7c4a610e8ae9220 https://github.com/wireapp/wire-ios/security/advisories/GHSA-mc65-7w99-c6qv • CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 7.1EPSS: 0%CPEs: 192EXPL: 0CVE-2021-21400 – Entering code in App Lock modal sends input to conversation
https://notcve.org/view.php?id=CVE-2021-21400
wire-webapp is an open-source front end for Wire, a secure collaboration platform. In wire-webapp before version 2021-03-15-production.0, when being prompted to enter the app-lock passphrase, the typed passphrase will be sent into the most recently used chat when the user does not actively give focus to the input field. Input element focus is enforced programatically in version 2021-03-15-production.0. wire-webapp es una interfaz de código abierto para Wire, una plataforma de colaboración segura. En wire-webapp anterior a la versión 15-03-2021-production.0, cuando ha sido solicitado que ingrese la frase de contraseña app-lock, la frase de contraseña escrita será enviada al chat usado más recientemente cuando el usuario no preste atención activamente al campo de entrada. El enfoque del elemento de entrada es aplicado mediante programación en la versión 15-03-2021-production.0. • https://github.com/wireapp/wire-webapp/commit/281f2a9d795f68abe423c116d5da4e1e73a60062 https://github.com/wireapp/wire-webapp/pull/10704 https://github.com/wireapp/wire-webapp/releases/tag/2021-03-15-production.0 https://github.com/wireapp/wire-webapp/security/advisories/GHSA-cxwr-f2j3-q8hp • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-21396 – Bulk list client endpoint exposes too much metadata about a client
https://notcve.org/view.php?id=CVE-2021-21396
wire-server is an open-source back end for Wire, a secure collaboration platform. In wire-server from version 2021-02-16 and before version 2021-03-02, the client metadata of all users was exposed in the `GET /users/list-clients` endpoint. The endpoint could be used by any logged in user who could request client details of any other user (no connection required) as far as they can find their User ID. The exposed metadata included id, class, type, location, time, and cookie. A user on a Wire backend could use this endpoint to find registration time and location for each device for a given list of users. • https://github.com/wireapp/wire-server/commit/7ba2bf4140282557cf215e0b2c354d4d08cd3421 https://github.com/wireapp/wire-server/releases/tag/v2021-03-02 https://github.com/wireapp/wire-server/security/advisories/GHSA-qx8q-rhq2-rg4j • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-21301 – Video feed was captured while user has disabled video
https://notcve.org/view.php?id=CVE-2021-21301
Wire is an open-source collaboration platform. In Wire for iOS (iPhone and iPad) before version 3.75 there is a vulnerability where the video capture isn't stopped in a scenario where a user first has their camera enabled and then disables it. It's a privacy issue because video is streamed to the call when the user believes it is disabled. It impacts all users in video calls. This is fixed in version 3.75. • https://github.com/wireapp/wire-ios/commit/7e3c30120066c9b10e50cc0d20012d0849c33a40 https://github.com/wireapp/wire-ios/pull/4879 https://github.com/wireapp/wire-ios/security/advisories/GHSA-7fg4-x8vj-qvxf • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •