CVE-2023-22737
First published: Sat Jan 28 2023(Updated: )
wire-server provides back end services for Wire, a team communication and collaboration platform. Prior to version 2022-12-09, every member of a Conversation can remove a Bot from a Conversation due to a missing permissions check. Only Conversation admins should be able to remove Bots. Regular Conversations are not allowed to do so. The issue is fixed in wire-server 2022-12-09 and is already deployed on all Wire managed services. On-premise instances of wire-server need to be updated to 2022-12-09/Chart 4.29.0, so that their backends are no longer affected. There are no known workarounds.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Wire Wire | <2022-12-09 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2023-22737?
CVE-2023-22737 is a vulnerability in the wire-server software that allows any member of a conversation to remove a bot, even if they don't have the necessary permissions.
What is the severity of CVE-2023-22737?
The severity of CVE-2023-22737 is medium with a severity value of 6.5.
How can CVE-2023-22737 be exploited?
CVE-2023-22737 can be exploited by any member of a conversation who wishes to remove a bot, regardless of their permissions.
Has CVE-2023-22737 been patched?
Yes, CVE-2023-22737 has been patched in the wire-server software version 2022-12-09.
Where can I find more information about CVE-2023-22737?
You can find more information about CVE-2023-22737 in the references provided: [link1], [link2], [link3].
- collector/nvd-index
- vendor/wire
- canonical/wire wire