CVE-2022-23625

DoS vulnerability: Malformed Resource Identifiers

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Wire-ios is a messaging application using the wire protocol on apple's ios platform. In versions prior to 3.95 malformed resource identifiers may render the iOS Wire Client completely unusable by causing it to repeatedly crash on launch. These malformed resource identifiers can be generated and sent between Wire users. The root cause lies in [wireapp/wire-ios-transport](https://github.com/wireapp/wire-ios-transport), where code responsible for removing sensible tokens before logging may fail and lead to a crash (Swift exception) of the application. This causes undesirable behavior, however the (greater) Wire system is still functional. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue.

Wire-ios es una aplicación de mensajería que usando el protocolo wire en la plataforma ios de apple. En versiones anteriores a 3.95, los identificadores de recursos malformados pueden hacer que el cliente Wire de iOS sea completamente inusable al causar que sea bloqueado repetidamente al iniciarse. Estos identificadores de recursos malformados pueden ser generados y enviados entre usuarios de Wire. La causa root es encontrada en [wireapp/wire-ios-transport](https://github.com/wireapp/wire-ios-transport), donde el código responsable de eliminar los tokens confidenciales antes del registro puede fallar y conllevar a un fallo (excepción Swift) de la aplicación. Esto causa un comportamiento no deseable, sin embargo el sistema Wire (mayor) sigue siendo funcional. Es recomendado a usuarios actualizar lo antes posible. No se presentan medidas de mitigación conocidas para este problema

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-01-19 CVE Reserved
2022-03-11 CVE Published
2023-10-31 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-755: Improper Handling of Exceptional Conditions

CAPEC

References (3)

URL	Tag	Source
https://github.com/wireapp/wire-ios/security/advisories/GHSA-rq36-8qfp-79mc	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://github.com/wireapp/wire-ios-transport/commit/02e90aa45edaf7eb2d8b97fa2377cd8104274170	2022-03-18
https://github.com/wireapp/wire-ios-transport/security/advisories/GHSA-3xvh-x964-572h	2022-03-18

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Wire Search vendor "Wire"		Wire Search vendor "Wire" for product "Wire"				< 3.95 Search vendor "Wire" for product "Wire" and version " < 3.95"		iphone_os		Affected
Wire Search vendor "Wire"		Wire-ios-transport Search vendor "Wire" for product "Wire-ios-transport"				< 84.1.1 Search vendor "Wire" for product "Wire-ios-transport" and version " < 84.1.1"		iphone_os		Affected