CVE-2023-22737

wire-server vulnerable to unauthorized removal of Bots from Conversations

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

wire-server provides back end services for Wire, a team communication and collaboration platform. Prior to version 2022-12-09, every member of a Conversation can remove a Bot from a Conversation due to a missing permissions check. Only Conversation admins should be able to remove Bots. Regular Conversations are not allowed to do so. The issue is fixed in wire-server 2022-12-09 and is already deployed on all Wire managed services. On-premise instances of wire-server need to be updated to 2022-12-09/Chart 4.29.0, so that their backends are no longer affected. There are no known workarounds.

wire-server proporciona servicios back-end para Wire, una plataforma de colaboración y comunicación en equipo. Antes de la versión 2022-12-09, cada miembro de una conversación podía eliminar un Bot de una conversación debido a una falta de verificación de permisos. Solo los administradores de Conversaciones deberían poder eliminar Bots. No se permiten conversaciones regulares para hacerlo. El problema se solucionó en Wire-server 2022-12-09 y ya está implementado en todos los servicios administrados por Wire. Las instancias locales del servidor de conexión deben actualizarse a 2022-12-09/Chart 4.29.0, para que sus backends ya no se vean afectados. No se conocen workarounds.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2023-01-06 CVE Reserved
2023-01-27 CVE Published
2025-03-10 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-280: Improper Handling of Insufficient Permissions or Privileges
CWE-862: Missing Authorization

CAPEC

References (4)

URL	Tag	Source
https://github.com/wireapp/wire-server/releases/tag/v2022-12-09	Release Notes
https://github.com/wireapp/wire-server/security/advisories/GHSA-xmjc-c6w3-pcp4	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://github.com/wireapp/wire-server/commit/494a6881f5895d4ed9e5d011455242be0d5e6223	2023-02-08
https://github.com/wireapp/wire-server/pull/2870	2023-02-08

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Wire Search vendor "Wire"		Wire Search vendor "Wire" for product "Wire"				< 2022-12-09 Search vendor "Wire" for product "Wire" and version " < 2022-12-09"		-		Affected