6.5
CVE-2023-22737
- EPSS 0.73%
- Veröffentlicht 28.01.2023 00:15:08
- Zuletzt bearbeitet 21.11.2024 07:45:19
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Loginwire-server vulnerable to unauthorized removal of Bots from Conversations
wire-server provides back end services for Wire, a team communication and collaboration platform. Prior to version 2022-12-09, every member of a Conversation can remove a Bot from a Conversation due to a missing permissions check. Only Conversation admins should be able to remove Bots. Regular Conversations are not allowed to do so. The issue is fixed in wire-server 2022-12-09 and is already deployed on all Wire managed services. On-premise instances of wire-server need to be updated to 2022-12-09/Chart 4.29.0, so that their backends are no longer affected. There are no known workarounds.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.73% | 0.494 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.5 | 2.8 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
|
| security-advisories@github.com | 6.5 | 2.8 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
|
CWE-280 Improper Handling of Insufficient Permissions or Privileges
The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state.
CWE-862 Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
https://github.com/wireapp/wire-server/commit/494a6881f5895d4ed9e5d011455242be0d5e6223
https://github.com/wireapp/wire-server/pull/2870
https://github.com/wireapp/wire-server/releases/tag/v2022-12-09
https://github.com/wireapp/wire-server/security/advisories/GHSA-xmjc-c6w3-pcp4