Vulnerability Details : CVE-2021-21400
wire-webapp is an open-source front end for Wire, a secure collaboration platform. In wire-webapp before version 2021-03-15-production.0, when being prompted to enter the app-lock passphrase, the typed passphrase will be sent into the most recently used chat when the user does not actively give focus to the input field. Input element focus is enforced programatically in version 2021-03-15-production.0.
Vulnerability category: Information leak
Products affected by CVE-2021-21400
- cpe:2.3:a:wire:wire-webapp:*:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-02-11:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-02-11:staging1:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-02-11:staging2:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-02-13:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-02-18:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-02-27:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-02-28:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-02-28:staging1:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-03-05:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-03-07:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-03-11:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-03-13:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-03-13:staging1:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-03-20:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-03-25:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-03-25:staging1:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-03-28:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-03-28:staging1:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-04-08:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-04-11:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-04-18:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-04-23:staging1:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-04-25:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-04-29:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-05-14:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-05-15:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-05-31:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-06-04:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-06-20:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-06-24:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-06-25:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-06-26:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-07-01:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-07-30:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-08-01:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-08-14:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-08-19:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-08-21:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-08-22:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-08-22:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-08-27:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-09-02:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-09-05:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-09-09:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-09-12:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-09-13:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-09-17:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-09-18:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-09-23:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-09-24:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-10-07:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-10-07:staging1:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-10-08:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-10-10:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-10-10:staging1:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-10-14:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-10-16:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-10-16:production1:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-10-16:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-10-16:staging1:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-10-21:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-10-25:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-10-29:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-10-31:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-11-01:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-11-08:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-11-12:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-11-19:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-11-21:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-11-21:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-11-25:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-11-26:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-12-12:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-12-20:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-01-06:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-01-09:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-01-13:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-01-15:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-01-16:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-01-17:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-01-21:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-01-22:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-02-06:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-02-11:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-02-11:staging1:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-02-14:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-02-18:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-02-20:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-02-24:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-02-26:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-02-28:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-03-03:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-03-03:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-03-06:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-05-22:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-05-26:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-05-27:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-05-28:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-05-29:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-06-02:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-06-05:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-06-08:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-06-10:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-06-12:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-06-15:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-06-15:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-06-19:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-06-24:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-06-29:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-07-07:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-05-20:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-07-13:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-07-16:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-07-24:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-07-24:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-07-24:staging1:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-08-06:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-08-12:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-08-12:staging1:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-08-14:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-08-18:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-08-19:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-08-21:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-08-25:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-08-26:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-09-02:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-09-03:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-09-04:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-09-08:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-09-11:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-09-17:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-09-18:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-09-21:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-09-28:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-09-29:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-10-01:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-10-06:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-10-07:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-10-07:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-10-08:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-10-14:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-10-15:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-10-21:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-05-19:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-05-18:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-05-15:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-05-14:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-05-13:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-05-07:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-05-07:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-05-06:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-05-04:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-04-29:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-04-28:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-04-23:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-04-22:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-04-21:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-04-16:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-04-09:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-04-07:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-04-01:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-03-30:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-03-23:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-03-20:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-03-18:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-03-12:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-07-07:staging1:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-10-21:staging1:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-10-26:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-10-27:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-10-28:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-11-09:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-11-30:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-11-30:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-12-10:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-12-14:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-01-18:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-01-18:staging1:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-01-27:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-02-02:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-02-03:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-02-04:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-02-15:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-02-17:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-02-18:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-02-22:staging1:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-02-26:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-03-04:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-03-05:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-03-10:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-03-15:production0:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-21400
0.12%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 46 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-21400
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:N/A:N |
8.6
|
2.9
|
NIST | |
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |
2.8
|
3.6
|
NIST | |
7.1
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N |
2.8
|
4.2
|
GitHub, Inc. |
CWE ids for CVE-2021-21400
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by:
- nvd@nist.gov (Primary)
- security-advisories@github.com (Secondary)
References for CVE-2021-21400
-
https://github.com/wireapp/wire-webapp/pull/10704
fix: Force focus on input elements in applock modals by AndyLnd · Pull Request #10704 · wireapp/wire-webapp · GitHubPatch;Third Party Advisory
-
https://github.com/wireapp/wire-webapp/security/advisories/GHSA-cxwr-f2j3-q8hp
Entering code in App Lock modal sends input to conversation · Advisory · wireapp/wire-webapp · GitHubThird Party Advisory
-
https://github.com/wireapp/wire-webapp/commit/281f2a9d795f68abe423c116d5da4e1e73a60062
fix: Force focus on input elements in AppLock modal (#10704) · wireapp/wire-webapp@281f2a9 · GitHubPatch;Third Party Advisory
-
https://github.com/wireapp/wire-webapp/releases/tag/2021-03-15-production.0
Release 2021-03-15-production.0 · wireapp/wire-webapp · GitHubRelease Notes;Third Party Advisory
Jump to