CVE-2021-32755

Wire is a collaboration platform. wire-ios-transport handles authentication of requests, network failures, and retries for the iOS implementation of Wire. In the 3.82 version of the iOS application, a new web socket implementation was introduced for users running iOS 13 or higher. This new websocket implementation is not configured to enforce certificate pinning when available. Certificate pinning for the new websocket is enforced in version 3.84 or above.

CVSS v3 4.3 MEDIUM
CVSS v2.0 4.0 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

4.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:N/I:P/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://github.com/wireapp/wire-ios-transport/security/advisories/GHSA-v8mx-h3vj-w39v	Third Party Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:a:wire:wire:*:*:*:*:*:*:*:*

cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*

History

16 Jul 2021, 15:15

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 4.0 v3 : 4.3
CWE		CWE-295
CPE		cpe:2.3:o:apple:iphone_os:::::::: cpe:2.3:a:wire:wire::::::::
References	~~(CONFIRM) https://github.com/wireapp/wire-ios-transport/security/advisories/GHSA-v8mx-h3vj-w39v -~~	(CONFIRM) https://github.com/wireapp/wire-ios-transport/security/advisories/GHSA-v8mx-h3vj-w39v - Third Party Advisory

13 Jul 2021, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2021-07-13 21:15

Updated : 2023-12-10 13:55

NVD link : CVE-2021-32755

Mitre link : CVE-2021-32755

CVE.ORG link : CVE-2021-32755

JSON object : View

Products Affected

apple

iphone_os

wire

wire

CWE

CWE-295

Improper Certificate Validation

{"id": "CVE-2021-32755", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.8}]}, "published": "2021-07-13T21:15:07.737", "references": [{"url": "https://github.com/wireapp/wire-ios-transport/security/advisories/GHSA-v8mx-h3vj-w39v", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-295"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-295"}]}], "descriptions": [{"lang": "en", "value": "Wire is a collaboration platform. wire-ios-transport handles authentication of requests, network failures, and retries for the iOS implementation of Wire. In the 3.82 version of the iOS application, a new web socket implementation was introduced for users running iOS 13 or higher. This new websocket implementation is not configured to enforce certificate pinning when available. Certificate pinning for the new websocket is enforced in version 3.84 or above."}, {"lang": "es", "value": "Wire es una plataforma de colaboraci\u00f3n. wire-ios-transport maneja la autenticaci\u00f3n de peticiones, los fallos de red y los reintentos para la implementaci\u00f3n de Wire en iOS. En la versi\u00f3n 3.82 de la aplicaci\u00f3n iOS, se introdujo una nueva implementaci\u00f3n de websocket para los usuarios que ejecutan iOS versi\u00f3n 13 o superior. Esta nueva implementaci\u00f3n de websocket no est\u00e1 configurada para aplicar la fijaci\u00f3n de certificados cuando est\u00e1 disponible. La fijaci\u00f3n de certificados para el nuevo websocket se aplica en la versi\u00f3n 3.84 o superior"}], "lastModified": "2021-07-16T15:15:47.227", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wire:wire:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "68C9EF30-515C-4DD1-B2C8-0EF94CA78B9E", "versionEndExcluding": "3.84"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "FF8F6B65-EBEA-4C30-9908-14EF61559016", "versionStartIncluding": "13.0"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "security-advisories@github.com"}