CVE-2020-27853

Severity Score

9.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Wire before 2020-10-16 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a format string. This affects Wire AVS (Audio, Video, and Signaling) 5.3 through 6.x before 6.4, the Wire Secure Messenger application before 3.49.918 for Android, and the Wire Secure Messenger application before 3.61 for iOS. This occurs via the value parameter to sdp_media_set_lattr in peerflow/sdp.c.

Wire antes de 16-10-2020, permite a atacantes remotos causar una denegación de servicio (bloqueo de aplicación) o posiblemente ejecutar código arbitrario por medio de una cadena de formato. Esto afecta a Wire AVS (Audio, Video, y Signaling) versiones 5.3 hasta 6.x anteriores a 6.4, la aplicación Wire Secure Messenger versiones anteriores a 3.49.918 para Android y la aplicación Wire Secure Messenger versiones anteriores a 3.61 para iOS. Esto ocurre por medio del parámetro value en la función sdp_media_set_lattr en el archivo peerflow/sdp.c.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-10-27 CVE Reserved
2020-10-27 CVE Published
2024-08-04 CVE Updated
2024-08-04 First Exploit
2024-08-16 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-134: Use of Externally-Controlled Format String

CAPEC

References (2)

URL	Tag	Source

URL	Date	SRC
http://github.security.telekom.com/2020/11/wire-secure-messenger-format-string-vulnerability.html	2024-08-04
https://github.com/wireapp/wire-audio-video-signaling/issues/23#issuecomment-710075689	2024-08-04

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Wire Search vendor "Wire"		Wire Search vendor "Wire" for product "Wire"				< 3.21.2936 Search vendor "Wire" for product "Wire" and version " < 3.21.2936"		linux		Affected
Wire Search vendor "Wire"		Wire Search vendor "Wire" for product "Wire"				< 3.21.3932 Search vendor "Wire" for product "Wire" and version " < 3.21.3932"		windows		Affected
Wire Search vendor "Wire"		Wire Search vendor "Wire" for product "Wire"				< 3.21.3959 Search vendor "Wire" for product "Wire" and version " < 3.21.3959"		macos		Affected
Wire Search vendor "Wire"		Wire - Audio\, Video\, And Signaling Search vendor "Wire" for product "Wire - Audio\, Video\, And Signaling"				>= 5.3 < 6.4 Search vendor "Wire" for product "Wire - Audio\, Video\, And Signaling" and version " >= 5.3 < 6.4"		-		Affected
Wire Search vendor "Wire"		Wire Secure Messenger Search vendor "Wire" for product "Wire Secure Messenger"				< 3.49.918 Search vendor "Wire" for product "Wire Secure Messenger" and version " < 3.49.918"		android		Affected
Wire Search vendor "Wire"		Wire Secure Messenger Search vendor "Wire" for product "Wire Secure Messenger"				< 3.61 Search vendor "Wire" for product "Wire Secure Messenger" and version " < 3.61"		iphone_os		Affected