CVE-2021-21396

Published: Mar 26, 2021

Modified: Aug 3, 2024

PUBLISHED

CVSS v3.1

6.5

MEDIUM

Description

wire-server is an open-source back end for Wire, a secure collaboration platform. In wire-server from version 2021-02-16 and before version 2021-03-02, the client metadata of all users was exposed in the `GET /users/list-clients` endpoint. The endpoint could be used by any logged in user who could request client details of any other user (no connection required) as far as they can find their User ID. The exposed metadata included id, class, type, location, time, and cookie. A user on a Wire backend could use this endpoint to find registration time and location for each device for a given list of users. As a workaround, remove `/list-clients` from nginx config. This has been fixed in version 2021-03-02.

Vendor	Product	Versions
wireapp	wire-server	affected `>= 2021-02-16, < 2021-03-02`

Weaknesses (CWE)

CWE-200

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

References

https://github.com/wireapp/wire-server/security/advisories/GHSA-qx8q-rhq2-rg4j

x_refsource_CONFIRM

https://github.com/wireapp/wire-server/releases/tag/v2021-03-02

x_refsource_MISC

https://github.com/wireapp/wire-server/commit/7ba2bf4140282557cf215e0b2c354d4d08cd3421

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2021-21396

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References