First published: Sat Jan 28 2023(Updated: )
wire-server provides back end services for Wire, a team communication and collaboration platform. Prior to version 2022-12-09, every member of a Conversation can remove a Bot from a Conversation due to a missing permissions check. Only Conversation admins should be able to remove Bots. Regular Conversations are not allowed to do so. The issue is fixed in wire-server 2022-12-09 and is already deployed on all Wire managed services. On-premise instances of wire-server need to be updated to 2022-12-09/Chart 4.29.0, so that their backends are no longer affected. There are no known workarounds.
Credit: security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Wire Wire | <2022-12-09 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-22737 is a vulnerability in the wire-server software that allows any member of a conversation to remove a bot, even if they don't have the necessary permissions.
The severity of CVE-2023-22737 is medium with a severity value of 6.5.
CVE-2023-22737 can be exploited by any member of a conversation who wishes to remove a bot, regardless of their permissions.
Yes, CVE-2023-22737 has been patched in the wire-server software version 2022-12-09.
You can find more information about CVE-2023-22737 in the references provided: [link1], [link2], [link3].