Details of VAR-202103-0650

ID

VAR-202103-0650

CVE

CVE-2021-21396

TITLE

wire-server Information Disclosure Vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2021-005019

DESCRIPTION

wire-server is an open-source back end for Wire, a secure collaboration platform. In wire-server from version 2021-02-16 and before version 2021-03-02, the client metadata of all users was exposed in the `GET /users/list-clients` endpoint. The endpoint could be used by any logged in user who could request client details of any other user (no connection required) as far as they can find their User ID. The exposed metadata included id, class, type, location, time, and cookie. A user on a Wire backend could use this endpoint to find registration time and location for each device for a given list of users. As a workaround, remove `/list-clients` from nginx config. This has been fixed in version 2021-03-02. wire-server Contains an information disclosure vulnerability.Information may be obtained

Trust: 1.71

sources: NVD: CVE-2021-21396 // JVNDB: JVNDB-2021-005019 // VULMON: CVE-2021-21396

AFFECTED PRODUCTS

vendor:	wire	model:	server	scope:	lt	version:	2021-03-02	Trust: 1.0
vendor:	wire	model:	server	scope:	gte	version:	2021-02-16	Trust: 1.0
vendor:	wire swiss	model:	wire-server	scope:	eq	version:	2021/02/16 to 2021/03/02 before that	Trust: 0.8
vendor:	wire swiss	model:	wire-server	scope:	eq	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2021-005019 // NVD: CVE-2021-21396

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-21396
value:	MEDIUM
Trust: 1.0
security-advisories@github.com:	CVE-2021-21396
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2021-21396
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202103-1578
value:	MEDIUM
Trust: 0.6
VULMON:	CVE-2021-21396
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2021-21396
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9

nvd@nist.gov:	CVE-2021-21396
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	3.6
version:	3.1
Trust: 2.0
OTHER:	JVNDB-2021-005019
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULMON: CVE-2021-21396 // JVNDB: JVNDB-2021-005019 // CNNVD: CNNVD-202103-1578 // NVD: CVE-2021-21396 // NVD: CVE-2021-21396

PROBLEMTYPE DATA

problemtype:	CWE-200	Trust: 1.0
problemtype:	information leak (CWE-200) [ Other ]	Trust: 0.8

sources: JVNDB: JVNDB-2021-005019 // NVD: CVE-2021-21396

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202103-1578

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-202103-1578

PATCH

title:	Return PubClient instead of Client from /users/list-clients (#1391) GitHub	url:	https://github.com/wireapp/wire-server/commit/7ba2bf4140282557cf215e0b2c354d4d08cd3421	Trust: 0.8
title:	wire-server Repair measures for information disclosure vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=145589	Trust: 0.6

sources: JVNDB: JVNDB-2021-005019 // CNNVD: CNNVD-202103-1578

EXTERNAL IDS

db:	NVD	id:	CVE-2021-21396	Trust: 2.5
db:	JVNDB	id:	JVNDB-2021-005019	Trust: 0.8
db:	CNNVD	id:	CNNVD-202103-1578	Trust: 0.6
db:	VULMON	id:	CVE-2021-21396	Trust: 0.1

sources: VULMON: CVE-2021-21396 // JVNDB: JVNDB-2021-005019 // CNNVD: CNNVD-202103-1578 // NVD: CVE-2021-21396

REFERENCES

url:	https://github.com/wireapp/wire-server/security/advisories/ghsa-qx8q-rhq2-rg4j	Trust: 1.7
url:	https://github.com/wireapp/wire-server/releases/tag/v2021-03-02	Trust: 1.7
url:	https://github.com/wireapp/wire-server/commit/7ba2bf4140282557cf215e0b2c354d4d08cd3421	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2021-21396	Trust: 1.4
url:	https://cwe.mitre.org/data/definitions/200.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULMON: CVE-2021-21396 // JVNDB: JVNDB-2021-005019 // CNNVD: CNNVD-202103-1578 // NVD: CVE-2021-21396

SOURCES

db:	VULMON	id:	CVE-2021-21396
db:	JVNDB	id:	JVNDB-2021-005019
db:	CNNVD	id:	CNNVD-202103-1578
db:	NVD	id:	CVE-2021-21396

LAST UPDATE DATE

2024-11-23T21:34:49.093000+00:00

SOURCES UPDATE DATE

db:	VULMON	id:	CVE-2021-21396	date:	2021-08-27T00:00:00
db:	JVNDB	id:	JVNDB-2021-005019	date:	2021-12-06T07:04:00
db:	CNNVD	id:	CNNVD-202103-1578	date:	2021-04-02T00:00:00
db:	NVD	id:	CVE-2021-21396	date:	2024-11-21T05:48:16.390

SOURCES RELEASE DATE

db:	VULMON	id:	CVE-2021-21396	date:	2021-03-26T00:00:00
db:	JVNDB	id:	JVNDB-2021-005019	date:	2021-12-06T00:00:00
db:	CNNVD	id:	CNNVD-202103-1578	date:	2021-03-26T00:00:00
db:	NVD	id:	CVE-2021-21396	date:	2021-03-26T22:15:12.947