9.8
CVE-2020-27853
- EPSS 3.22%
- Veröffentlicht 27.10.2020 18:15:12
- Zuletzt bearbeitet 21.11.2024 05:21:56
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
LoginWire before 2020-10-16 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a format string. This affects Wire AVS (Audio, Video, and Signaling) 5.3 through 6.x before 6.4, the Wire Secure Messenger application before 3.49.918 for Android, and the Wire Secure Messenger application before 3.61 for iOS. This occurs via the value parameter to sdp_media_set_lattr in peerflow/sdp.c.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Wire ≫ Wire - Audio, Video, And Signaling Version >= 5.3 < 6.4
Wire ≫ Wire Secure Messenger SwPlatformandroid Version < 3.49.918
Wire ≫ Wire Secure Messenger SwPlatformiphone_os Version < 3.61
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 3.22% | 0.865 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 7.5 | 10 | 6.4 |
AV:N/AC:L/Au:N/C:P/I:P/A:P
|
CWE-134 Use of Externally-Controlled Format String
The product uses a function that accepts a format string as an argument, but the format string originates from an external source.