CVE-2021-21400

high-risk
Published 2021-04-02

wire-webapp is an open-source front end for Wire, a secure collaboration platform. In wire-webapp before version 2021-03-15-production.0, when being prompted to enter the app-lock passphrase, the typed passphrase will be sent into the most recently used chat when the user does not actively give focus to the input field. Input element focus is enforced programatically in version 2021-03-15-production.0.

Do I need to act?

-
0.42% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.1/10 High
NETWORK / LOW complexity

Affected Products (20)

Wire-Webapp
Wire-Webapp
Wire-Webapp
Wire-Webapp
Wire-Webapp
Wire-Webapp
Wire-Webapp
Wire-Webapp
Wire-Webapp
Wire-Webapp
Wire-Webapp
Wire-Webapp
Wire-Webapp
Wire-Webapp
Wire-Webapp
Wire-Webapp
Wire-Webapp
Wire-Webapp
Wire-Webapp
Wire-Webapp

Affected Vendors

Wire

References (8)

Patch https://github.com/wireapp/wire-webapp/commit/281f2a9d795f68abe423c116d5da4e1e73...
Patch https://github.com/wireapp/wire-webapp/pull/10704
Release Notes https://github.com/wireapp/wire-webapp/releases/tag/2021-03-15-production.0
Third Party Advisory https://github.com/wireapp/wire-webapp/security/advisories/GHSA-cxwr-f2j3-q8hp
Patch https://github.com/wireapp/wire-webapp/commit/281f2a9d795f68abe423c116d5da4e1e73...
Patch https://github.com/wireapp/wire-webapp/pull/10704
Release Notes https://github.com/wireapp/wire-webapp/releases/tag/2021-03-15-production.0
Third Party Advisory https://github.com/wireapp/wire-webapp/security/advisories/GHSA-cxwr-f2j3-q8hp
60
/ 100
high-risk
Severity 25/34 · High
Exploitability 2/34 · Minimal
Exposure 33/34 · Critical