CVE-2020-15258 : In Wire before 3.20.x, `shell.openExternal` was used without checking the URL. T

In Wire before 3.20.x, `shell.openExternal` was used without checking the URL. This vulnerability allows an attacker to execute code on the victims machine by sending messages containing links with arbitrary protocols. The victim has to interact with the link and sees the URL that is opened. The issue was patched by implementing a helper function which checks if the URL's protocol is common. If it is common, the URL will be opened externally. If not, the URL will not be opened and a warning appears for the user informing them that a probably insecure URL was blocked from being executed. The issue is patched in Wire 3.20.x. More technical details about exploitation are available in the linked advisory.

Published 2020-10-16 17:15:12

Updated 2020-10-28 16:38:44

Source GitHub, Inc.

View at NVD, CVE.org

Vulnerability category: Input validationExecute code

Products affected by CVE-2020-15258

Wire » Wire
Versions before (<) 3.20.2934
cpe:2.3:a:wire:wire:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2020-15258

EPSS FAQ

0.56%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 66 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2020-15258

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.0	MEDIUM	AV:N/AC:M/Au:S/C:P/I:P/A:P	6.8	6.4	NIST
Access Vector: Network Access Complexity: Medium Authentication: Single Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
8.0	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H	2.1	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: High
8.0	HIGH	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H	1.3	6.0	GitHub, Inc.
Attack Vector: Network Attack Complexity: High Privileges Required: Low User Interaction: Required Scope: Changed Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2020-15258

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Assigned by: security-advisories@github.com (Primary)

References for CVE-2020-15258

https://github.com/wireapp/wire-desktop/security/advisories/GHSA-5gpx-9976-ggpm

Insecure use of shell.openExternal · Advisory · wireapp/wire-desktop · GitHub
Exploit;Third Party Advisory
https://github.com/wireapp/wire-desktop/commit/b3705fffa75a03f055530f55a754face5ac0623b

Merge pull request from GHSA-5gpx-9976-ggpm · wireapp/wire-desktop@b3705ff · GitHub
Patch;Third Party Advisory
https://benjamin-altpeter.de/shell-openexternal-dangers/

The dangers of Electron's shell.openExternal()—many paths to remote code execution
Exploit;Third Party Advisory

Jump to

Vulnerability Details : CVE-2020-15258

Products affected by CVE-2020-15258

Exploit prediction scoring system (EPSS) score for CVE-2020-15258

CVSS scores for CVE-2020-15258

CWE ids for CVE-2020-15258

References for CVE-2020-15258