Details of VAR-202204-0859

ID

VAR-202204-0859

CVE

CVE-2021-41119

TITLE

Wire Resource Management Error Vulnerability

Trust: 0.6

sources: CNNVD: CNNVD-202204-3338

DESCRIPTION

Wire-server is the system server for the wire back-end services. Releases prior to v2022-03-01 are subject to a denial of service attack via a crafted object causing a hash collision. This collision causes the server to spend at least quadratic time parsing it which can lead to a denial of service for a heavily used server. The issue has been fixed in wire-server 2022-03-01 and is already deployed on all Wire managed services. On premise instances of wire-server need to be updated to 2022-03-01, so that their backends are no longer affected. There are no known workarounds for this issue

Trust: 0.99

sources: NVD: CVE-2021-41119 // VULMON: CVE-2021-41119

AFFECTED PRODUCTS

vendor:

wire

model:

wire-server

scope:

version:

2022-03-01

Trust: 1.0

sources: NVD: CVE-2021-41119

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-41119
value:	HIGH
Trust: 1.0
security-advisories@github.com:	CVE-2021-41119
value:	MEDIUM
Trust: 1.0
CNNVD:	CNNVD-202204-3338
value:	HIGH
Trust: 0.6
VULMON:	CVE-2021-41119
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2021-41119
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.1

nvd@nist.gov:	CVE-2021-41119
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 1.0
security-advisories@github.com:	CVE-2021-41119
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	LOW
exploitabilityScore:	3.9
impactScore:	1.4
version:	3.1
Trust: 1.0

sources: VULMON: CVE-2021-41119 // CNNVD: CNNVD-202204-3338 // NVD: CVE-2021-41119 // NVD: CVE-2021-41119

PROBLEMTYPE DATA

problemtype:

CWE-400

Trust: 1.0

sources: NVD: CVE-2021-41119

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202204-3338

TYPE

resource management error

Trust: 0.6

sources: CNNVD: CNNVD-202204-3338

PATCH

title:	Wire Remediation of resource management error vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=190361	Trust: 0.6
title:	Debian CVElist Bug Report Logs: haskell-aeson: CVE-2021-41119 - JSON DoS Vulnerability in Haskell's Aeson library	url:	https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs&qid=1acf8936fee209c4d782a6daeb5dce84	Trust: 0.1

sources: VULMON: CVE-2021-41119 // CNNVD: CNNVD-202204-3338

EXTERNAL IDS

db:	NVD	id:	CVE-2021-41119	Trust: 1.7
db:	CNNVD	id:	CNNVD-202204-3338	Trust: 0.6
db:	VULMON	id:	CVE-2021-41119	Trust: 0.1

sources: VULMON: CVE-2021-41119 // CNNVD: CNNVD-202204-3338 // NVD: CVE-2021-41119

REFERENCES

url:	https://cs-syd.eu/posts/2021-09-11-json-vulnerability	Trust: 1.7
url:	https://github.com/wireapp/wire-server/security/advisories/ghsa-phxv-pffh-fq2r	Trust: 1.7
url:	https://cxsecurity.com/cveshow/cve-2021-41119/	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/400.html	Trust: 0.1
url:	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009678	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULMON: CVE-2021-41119 // CNNVD: CNNVD-202204-3338 // NVD: CVE-2021-41119

SOURCES

db:	VULMON	id:	CVE-2021-41119
db:	CNNVD	id:	CNNVD-202204-3338
db:	NVD	id:	CVE-2021-41119

LAST UPDATE DATE

2024-11-23T22:20:32.010000+00:00

SOURCES UPDATE DATE

db:	VULMON	id:	CVE-2021-41119	date:	2022-04-21T00:00:00
db:	CNNVD	id:	CNNVD-202204-3338	date:	2022-04-22T00:00:00
db:	NVD	id:	CVE-2021-41119	date:	2024-11-21T06:25:30.633

SOURCES RELEASE DATE

db:	VULMON	id:	CVE-2021-41119	date:	2022-04-13T00:00:00
db:	CNNVD	id:	CNNVD-202204-3338	date:	2022-04-13T00:00:00
db:	NVD	id:	CVE-2021-41119	date:	2022-04-13T19:15:08.990