Vulnerability Details : CVE-2023-22737
wire-server provides back end services for Wire, a team communication and collaboration platform. Prior to version 2022-12-09, every member of a Conversation can remove a Bot from a Conversation due to a missing permissions check. Only Conversation admins should be able to remove Bots. Regular Conversations are not allowed to do so. The issue is fixed in wire-server 2022-12-09 and is already deployed on all Wire managed services. On-premise instances of wire-server need to be updated to 2022-12-09/Chart 4.29.0, so that their backends are no longer affected. There are no known workarounds.
Products affected by CVE-2023-22737
- cpe:2.3:a:wire:wire:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-22737
0.11%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 45 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-22737
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
2.8
|
3.6
|
NIST | |
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
2.8
|
3.6
|
GitHub, Inc. |
CWE ids for CVE-2023-22737
-
The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state.Assigned by: security-advisories@github.com (Primary)
-
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.Assigned by: security-advisories@github.com (Primary)
References for CVE-2023-22737
-
https://github.com/wireapp/wire-server/security/advisories/GHSA-xmjc-c6w3-pcp4
Unauthorized removal of Bots from Conversations · Advisory · wireapp/wire-server · GitHubThird Party Advisory
-
https://github.com/wireapp/wire-server/releases/tag/v2022-12-09
Release 2022-12-09 (Chart Release 4.29.0) · wireapp/wire-server · GitHubRelease Notes;Third Party Advisory
-
https://github.com/wireapp/wire-server/pull/2870
[SQSERVICES-1801] Prevent dead bots in database by battermann · Pull Request #2870 · wireapp/wire-server · GitHubPatch;Third Party Advisory
-
https://github.com/wireapp/wire-server/commit/494a6881f5895d4ed9e5d011455242be0d5e6223
[SQSERVICES-1801] Prevent dead bots in database (#2870) · wireapp/wire-server@494a688 · GitHubPatch;Third Party Advisory
Jump to