VYPR

wire-server

by Wordapp

CVEs (6)

  • CVE-2022-23610CriMar 16, 2022
    risk 0.59cvss 9.1epss 0.01

    wire-server provides back end services for Wire, an open source messenger. In versions of wire-server prior to the 2022-01-27 release, it was possible to craft DSA Signatures to bypass SAML SSO and impersonate any Wire user with SAML credentials. In teams with SAML, but without…

  • CVE-2021-41100HigOct 4, 2021
    risk 0.48cvss 7.4epss 0.01

    Wire-server is the backing server for the open source wire secure messaging application. In affected versions it is possible to trigger email address change of a user with only the short-lived session token in the `Authorization` header. As the short-lived token is only meant as…

  • CVE-2021-41101MedSep 30, 2021
    risk 0.37cvss 5.7epss 0.01

    wire-server is an open-source back end for Wire, a secure collaboration platform. Before version 2.106.0, the CORS ` Access-Control-Allow-Origin ` header set by `nginz` is set for all subdomains of `.wire.com` (including `wire.com`). This means that if somebody were to find an…

  • CVE-2021-41119MedApr 13, 2022
    risk 0.35cvss 5.3epss 0.02

    Wire-server is the system server for the wire back-end services. Releases prior to v2022-03-01 are subject to a denial of service attack via a crafted object causing a hash collision. This collision causes the server to spend at least quadratic time parsing it which can lead to…

  • CVE-2023-22737MedJan 28, 2023
    risk 0.00cvss 6.5epss 0.01

    wire-server provides back end services for Wire, a team communication and collaboration platform. Prior to version 2022-12-09, every member of a Conversation can remove a Bot from a Conversation due to a missing permissions check. Only Conversation admins should be able to…

  • CVE-2021-21396MedMar 26, 2021
    risk 0.00cvss 6.5epss 0.01

    wire-server is an open-source back end for Wire, a secure collaboration platform. In wire-server from version 2021-02-16 and before version 2021-03-02, the client metadata of all users was exposed in the `GET /users/list-clients` endpoint. The endpoint could be used by any…