Details of VAR-202301-1851

ID

VAR-202301-1851

CVE

CVE-2023-22737

TITLE

wire-server Insufficient Permissions or Improper Handling of Privileges Vulnerabilities in

Trust: 0.8

sources: JVNDB: JVNDB-2023-003092

DESCRIPTION

wire-server provides back end services for Wire, a team communication and collaboration platform. Prior to version 2022-12-09, every member of a Conversation can remove a Bot from a Conversation due to a missing permissions check. Only Conversation admins should be able to remove Bots. Regular Conversations are not allowed to do so. The issue is fixed in wire-server 2022-12-09 and is already deployed on all Wire managed services. On-premise instances of wire-server need to be updated to 2022-12-09/Chart 4.29.0, so that their backends are no longer affected. There are no known workarounds. wire-server contains vulnerabilities related to insufficient permissions or improper handling of privileges, and vulnerabilities related to lack of authentication.Service operation interruption (DoS) It may be in a state

Trust: 1.71

sources: NVD: CVE-2023-22737 // JVNDB: JVNDB-2023-003092 // VULMON: CVE-2023-22737

AFFECTED PRODUCTS

vendor:	wire	model:	wire	scope:	lt	version:	2022-12-09	Trust: 1.0
vendor:	wire swiss	model:	wire-server	scope:	eq	version:	2022-12-09	Trust: 0.8
vendor:	wire swiss	model:	wire-server	scope:	eq	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2023-003092 // NVD: CVE-2023-22737

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2023-22737
value:	MEDIUM
Trust: 1.0
security-advisories@github.com:	CVE-2023-22737
value:	MEDIUM
Trust: 1.0
OTHER:	JVNDB-2023-003092
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202301-2277
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2023-22737
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	3.6
version:	3.1
Trust: 2.0
OTHER:	JVNDB-2023-003092
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2023-003092 // CNNVD: CNNVD-202301-2277 // NVD: CVE-2023-22737 // NVD: CVE-2023-22737

PROBLEMTYPE DATA

problemtype:	CWE-862	Trust: 1.0
problemtype:	CWE-280	Trust: 1.0
problemtype:	Insufficient permissions or improper handling of privileges (CWE-280) [ others ]	Trust: 0.8
problemtype:	Lack of authentication (CWE-862) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2023-003092 // NVD: CVE-2023-22737

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202301-2277

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202301-2277

PATCH

title:	2022-12-09 (Chart Release 4.29.0) GitHub	url:	https://github.com/wireapp/wire-server/commit/494a6881f5895d4ed9e5d011455242be0d5e6223	Trust: 0.8
title:	Wire Security vulnerabilities	url:	http://123.124.177.30/web/xxk/bdxqById.tag?id=222942	Trust: 0.6
title:	-	url:	https://github.com/Live-Hack-CVE/CVE-2023-22737	Trust: 0.1

sources: VULMON: CVE-2023-22737 // JVNDB: JVNDB-2023-003092 // CNNVD: CNNVD-202301-2277

EXTERNAL IDS

db:	NVD	id:	CVE-2023-22737	Trust: 3.3
db:	JVNDB	id:	JVNDB-2023-003092	Trust: 0.8
db:	CNNVD	id:	CNNVD-202301-2277	Trust: 0.6
db:	VULMON	id:	CVE-2023-22737	Trust: 0.1

sources: VULMON: CVE-2023-22737 // JVNDB: JVNDB-2023-003092 // CNNVD: CNNVD-202301-2277 // NVD: CVE-2023-22737

REFERENCES

url:	https://github.com/wireapp/wire-server/commit/494a6881f5895d4ed9e5d011455242be0d5e6223	Trust: 1.7
url:	https://github.com/wireapp/wire-server/releases/tag/v2022-12-09	Trust: 1.7
url:	https://github.com/wireapp/wire-server/pull/2870	Trust: 1.7
url:	https://github.com/wireapp/wire-server/security/advisories/ghsa-xmjc-c6w3-pcp4	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2023-22737	Trust: 0.8
url:	https://cxsecurity.com/cveshow/cve-2023-22737/	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/280.html	Trust: 0.1
url:	https://cwe.mitre.org/data/definitions/862.html	Trust: 0.1
url:	https://github.com/live-hack-cve/cve-2023-22737	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULMON: CVE-2023-22737 // JVNDB: JVNDB-2023-003092 // CNNVD: CNNVD-202301-2277 // NVD: CVE-2023-22737

SOURCES

db:	VULMON	id:	CVE-2023-22737
db:	JVNDB	id:	JVNDB-2023-003092
db:	CNNVD	id:	CNNVD-202301-2277
db:	NVD	id:	CVE-2023-22737

LAST UPDATE DATE

2024-08-14T14:55:00.029000+00:00

SOURCES UPDATE DATE

db:	VULMON	id:	CVE-2023-22737	date:	2023-01-30T00:00:00
db:	JVNDB	id:	JVNDB-2023-003092	date:	2023-08-31T05:22:00
db:	CNNVD	id:	CNNVD-202301-2277	date:	2023-02-09T00:00:00
db:	NVD	id:	CVE-2023-22737	date:	2023-02-08T17:41:31.743

SOURCES RELEASE DATE

db:	VULMON	id:	CVE-2023-22737	date:	2023-01-28T00:00:00
db:	JVNDB	id:	JVNDB-2023-003092	date:	2023-08-31T00:00:00
db:	CNNVD	id:	CNNVD-202301-2277	date:	2023-01-28T00:00:00
db:	NVD	id:	CVE-2023-22737	date:	2023-01-28T00:15:08.863