Improper Handling of Insufficient Permissions or Privileges

CVE-2023-22737

Medium

6.5/10

Summary

wire-server provides back end services for Wire, a team communication and collaboration platform. Prior to version 2022-12-09, every member of a Conversation can remove a Bot from a Conversation due to a missing permissions check. Only Conversation admins should be able to remove Bots. Regular Conversations are not allowed to do so. The issue is fixed in wire-server 2022-12-09 and is already deployed on all Wire managed services. On-premise instances of wire-server need to be updated to 2022-12-09/Chart 4.29.0, so that their backends are no longer affected. There are no known workarounds.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: LOW
Confidentiality Impact: NONE
Availability Impact: HIGH

CWE-280 - Improper Handling of Insufficient Permissions or Privileges

The application does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the application in an invalid state.

References

Advisory Timeline

Published Jan 28, 2023

Improper Handling of Insufficient Permissions or Privileges

CVE-2023-22737

Summary

CWE-280 - Improper Handling of Insufficient Permissions or Privileges

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS