Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2021-21396

Good to know:

icon

Date: March 26, 2021

wire-server is an open-source back end for Wire, a secure collaboration platform. In wire-server from version 2021-02-16 and before version 2021-03-02, the client metadata of all users was exposed in the `GET /users/list-clients` endpoint. The endpoint could be used by any logged in user who could request client details of any other user (no connection required) as far as they can find their User ID. The exposed metadata included id, class, type, location, time, and cookie. A user on a Wire backend could use this endpoint to find registration time and location for each device for a given list of users. As a workaround, remove `/list-clients` from nginx config. This has been fixed in version 2021-03-02.

Language: HASKELL

Severity Score

Related Resources (5)

https://github.com/wireapp/wire-server/releases/tag/v2021-03-02
https://github.com/wireapp/wire-server/security/advisories/GHSA-qx8q-rhq2-rg4j
https://nvd.nist.gov/vuln/detail/CVE-2021-21396
https://github.com/wireapp/wire-server/commit/7ba2bf4140282557cf215e0b2c354d4d08cd3421
https://www.mend.io/vulnerability-database/CVE-2021-21396

Severity Score

Weakness Type (CWE)

Information Leak / Disclosure

CWE-200

Top Fix

icon

Upgrade Version

Upgrade to version 2021-03-02

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): LOW
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): NONE
Availability (A): NONE

CVSS v2

Base Score:
Access Vector (AV): NETWORK
Access Complexity (AC): LOW
Authentication (AU): SINGLE
Confidentiality (C): PARTIAL
Integrity (I): NONE
Availability (A): NONE
Additional information:

Do you need more information?

Contact Us