CVE-2021-21396

Bulk list client endpoint exposes too much metadata about a client

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

wire-server is an open-source back end for Wire, a secure collaboration platform. In wire-server from version 2021-02-16 and before version 2021-03-02, the client metadata of all users was exposed in the `GET /users/list-clients` endpoint. The endpoint could be used by any logged in user who could request client details of any other user (no connection required) as far as they can find their User ID. The exposed metadata included id, class, type, location, time, and cookie. A user on a Wire backend could use this endpoint to find registration time and location for each device for a given list of users. As a workaround, remove `/list-clients` from nginx config. This has been fixed in version 2021-03-02.

wire-server es un back-end de código abierto para Wire, una plataforma de colaboración segura. En wire-server desde la versión 16-02-2021 y versiones anteriores a 02-03-2021, los metadatos del cliente de todos los usuarios estaban expuestos en el endpoint "GET/users/list-clients". El endpoint puede ser usado por cualquier usuario con inicio de sesión y que pueda pedir los detalles del cliente de cualquier otro usuario (no se requiere conexión) en la medida en que pueda encontrar su ID de usuario. Los metadatos expuestos incluían id, clase, tipo, ubicación, hora y cookie. Un usuario en un backend Wire podría usar este endpoint para encontrar la hora y la ubicación de registro para cada dispositivo para una lista determinada de usuarios. Como solución alternativa, elimine "/list-clients" de la configuración de nginx. Esto ha sido corregido en la versión 02-03-2021.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-12-22 CVE Reserved
2021-03-26 CVE Published
2023-03-08 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CAPEC

References (3)

URL	Tag	Source
https://github.com/wireapp/wire-server/releases/tag/v2021-03-02	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://github.com/wireapp/wire-server/commit/7ba2bf4140282557cf215e0b2c354d4d08cd3421	2021-08-27
https://github.com/wireapp/wire-server/security/advisories/GHSA-qx8q-rhq2-rg4j	2021-08-27

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Wire Search vendor "Wire"		Wire Server Search vendor "Wire" for product "Wire Server"				>= 2021-02-16 < 2021-03-02 Search vendor "Wire" for product "Wire Server" and version " >= 2021-02-16 < 2021-03-02"		-		Affected