CVSS: 5.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-58103
https://notcve.org/view.php?id=CVE-2024-58103
16 Mar 2025 — Square Wire before 5.2.0 does not enforce a recursion limit on nested groups in ByteArrayProtoReader32.kt and ProtoReader.kt. • https://github.com/square/wire/commit/b90e60c09befaff836a2fc2ee4d678451b2ec75d • CWE-674: Uncontrolled Recursion •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-22737 – wire-server vulnerable to unauthorized removal of Bots from Conversations
https://notcve.org/view.php?id=CVE-2023-22737
27 Jan 2023 — wire-server provides back end services for Wire, a team communication and collaboration platform. Prior to version 2022-12-09, every member of a Conversation can remove a Bot from a Conversation due to a missing permissions check. Only Conversation admins should be able to remove Bots. Regular Conversations are not allowed to do so. The issue is fixed in wire-server 2022-12-09 and is already deployed on all Wire managed services. • https://github.com/wireapp/wire-server/commit/494a6881f5895d4ed9e5d011455242be0d5e6223 • CWE-280: Improper Handling of Insufficient Permissions or Privileges CWE-862: Missing Authorization •
CVSS: 4.7EPSS: 0%CPEs: 1EXPL: 1CVE-2022-43673
https://notcve.org/view.php?id=CVE-2022-43673
18 Nov 2022 — Wire through 3.22.3993 on Windows advertises deletion of sent messages; nonetheless, all messages can be retrieved (for a limited period of time) from the AppData\Roaming\Wire\IndexedDB\https_app.wire.com_0.indexeddb.leveldb database. La conexión hasta 3.22.3993 en Windows anuncia la eliminación de mensajes enviados; no obstante, todos los mensajes se pueden recuperar (por un período de tiempo limitado) de la base de datos AppData\Roaming\Wire\IndexedDB\https_app.wire.com_0.indexeddb.leveldb. • https://wire.com • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-31009 – DoS vulnerability: Invalid Accent Colors
https://notcve.org/view.php?id=CVE-2022-31009
23 Jun 2022 — wire-ios is an iOS client for the Wire secure messaging application. Invalid accent colors of Wire communication partners may render the iOS Wire Client partially unusable by causing it to crash multiple times on launch. These invalid accent colors can be used by and sent between Wire users. The root cause was an unnecessary assert statement when converting an integer value into the corresponding enum value, causing an exception instead of a fallback to a default value. This issue is fixed in [wire-ios](htt... • https://github.com/wireapp/wire-ios/commit/caa0e27dbe51f9edfda8c7a9f017d93b8cfddefb • CWE-617: Reachable Assertion •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-23625 – DoS vulnerability: Malformed Resource Identifiers
https://notcve.org/view.php?id=CVE-2022-23625
11 Mar 2022 — Wire-ios is a messaging application using the wire protocol on apple's ios platform. In versions prior to 3.95 malformed resource identifiers may render the iOS Wire Client completely unusable by causing it to repeatedly crash on launch. These malformed resource identifiers can be generated and sent between Wire users. The root cause lies in [wireapp/wire-ios-transport](https://github.com/wireapp/wire-ios-transport), where code responsible for removing sensible tokens before logging may fail and lead to a c... • https://github.com/wireapp/wire-ios-transport/commit/02e90aa45edaf7eb2d8b97fa2377cd8104274170 • CWE-755: Improper Handling of Exceptional Conditions •
CVSS: 4.6EPSS: 0%CPEs: 1EXPL: 0CVE-2021-41094 – Mandatory encryption at rest can be bypassed (UI) in Wire app
https://notcve.org/view.php?id=CVE-2021-41094
04 Oct 2021 — Wire is an open source secure messenger. Users of Wire by Bund may bypass the mandatory encryption at rest feature by simply disabling their device passcode. Upon launching, the app will attempt to enable encryption at rest by generating encryption keys via the Secure Enclave, however it will fail silently if no device passcode is set. The user has no indication that encryption at rest is not active since the feature is hidden to them. This issue has been resolved in version 3.70 Wire es una mensajería segu... • https://github.com/wireapp/wire-ios/commit/5ba3eb180efc3fc795d095f9c84ae7f109b84746 • CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-41093 – Account takeover when having only access to a user's short lived token
https://notcve.org/view.php?id=CVE-2021-41093
04 Oct 2021 — Wire is an open source secure messenger. In affected versions if the an attacker gets an old but valid access token they can take over an account by changing the email. This issue has been resolved in version 3.86 which uses a new endpoint which additionally requires an authentication cookie. See wire-ios-sync-engine and wire-ios-transport references. This is the root advisory that pulls the changes together. • https://github.com/wireapp/wire-ios-sync-engine/security/advisories/GHSA-w727-5f74-49xj • CWE-285: Improper Authorization CWE-863: Incorrect Authorization •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2021-32755 – Certificate pinning is not enforced on the web socket connection
https://notcve.org/view.php?id=CVE-2021-32755
13 Jul 2021 — Wire is a collaboration platform. wire-ios-transport handles authentication of requests, network failures, and retries for the iOS implementation of Wire. In the 3.82 version of the iOS application, a new web socket implementation was introduced for users running iOS 13 or higher. This new websocket implementation is not configured to enforce certificate pinning when available. Certificate pinning for the new websocket is enforced in version 3.84 or above. Wire es una plataforma de colaboración. wire-ios-tr... • https://github.com/wireapp/wire-ios-transport/security/advisories/GHSA-v8mx-h3vj-w39v • CWE-295: Improper Certificate Validation •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-32666 – Asset DoS vulnerability
https://notcve.org/view.php?id=CVE-2021-32666
03 Jun 2021 — wire-ios is the iOS version of Wire, an open-source secure messaging app. In wire-ios versions 3.8.0 and prior, a vulnerability exists that can cause a denial of service between users. If a user has an invalid assetID for their profile picture and it contains the " character, it will cause the iOS client to crash. The vulnerability is patched in wire-ios version 3.8.1. wire-ios es la versión para iOS de Wire, una aplicación de mensajería segura de código abierto. En wire-ios, versiones 3.8.0 y anteriores se... • https://github.com/wireapp/wire-ios-data-model/commit/35af3f632085f51a2ce7f608fdaeffd1a69ad89f • CWE-20: Improper Input Validation •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-32665 – Verified groups not reliable
https://notcve.org/view.php?id=CVE-2021-32665
03 Jun 2021 — wire-ios is the iOS version of Wire, an open-source secure messaging app. wire-ios versions 3.8.0 and earlier have a bug in which a conversation could be incorrectly set to "unverified. This occurs when: - Self user is added to a new conversation - Self user is added to an existing conversation - All the participants in the conversation were previously marked as verified. The vulnerability is patched in wire-ios version 3.8.1. As a workaround, one can unverify & verify a device in the conversation. wire-ios... • https://github.com/wireapp/wire-ios-data-model/commit/bf9db85886b12a20c8374f55b7c4a610e8ae9220 • CWE-345: Insufficient Verification of Data Authenticity •