CVE-2022-23605
moderate-risk
Published 2022-02-04
Wire webapp is a web client for the wire messaging protocol. In versions prior to 2022-01-27-production.0 expired ephemeral messages were not reliably removed from local chat history of Wire Webapp. In versions before 2022-01-27-production.0 ephemeral messages and assets might still be accessible through the local search functionality. Any attempt to view one of these message in the chat view will then trigger the deletion. This issue only affects locally stored messages. On premise instances of wire-webapp need to be updated to 2022-01-27-production.0, so that their users are no longer affected. There are no known workarounds for this issue.
Do I need to act?
-
0.06% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.4/10
Medium
LOCAL
/ LOW complexity
Affected Products (20)
Wire-Webapp
Wire-Webapp
Wire-Webapp
Wire-Webapp
Wire-Webapp
Wire-Webapp
Wire-Webapp
Wire-Webapp
Wire-Webapp
Wire-Webapp
Wire-Webapp
Wire-Webapp
Wire-Webapp
Wire-Webapp
Wire-Webapp
Wire-Webapp
Wire-Webapp
Wire-Webapp
Wire-Webapp
Wire-Webapp
Affected Vendors
References (4)
Third Party Advisory
https://github.com/wireapp/wire-webapp/security/advisories/GHSA-2w3m-ppfg-hg62
Third Party Advisory
https://github.com/wireapp/wire-webapp/security/advisories/GHSA-2w3m-ppfg-hg62
48
/ 100
moderate-risk
Severity
15/34 · Moderate
Exploitability
0/34 · Minimal
Exposure
33/34 · Critical