CVE-2023-22737

2023-01-2800:15:08

Google

osv.dev

wire-server

vulnerability

unauthorized

removal

bot

conversation

permissions

check

fixed

update

on-premise

6.5 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

40.2%

JSON

wire-server provides back end services for Wire, a team communication and collaboration platform. Prior to version 2022-12-09, every member of a Conversation can remove a Bot from a Conversation due to a missing permissions check. Only Conversation admins should be able to remove Bots. Regular Conversations are not allowed to do so. The issue is fixed in wire-server 2022-12-09 and is already deployed on all Wire managed services. On-premise instances of wire-server need to be updated to 2022-12-09/Chart 4.29.0, so that their backends are no longer affected. There are no known workarounds.

CPENameOperatorVersion
wire-servereqimage/4.12.28
wire-servereqchart=2.116.14,image=2.116.14
wire-servereqimage/2.86.11
wire-servereqchart=2.116.47,image=2.116.47
wire-servereqimage/2.116.38
wire-servereqimage/2.117.8
wire-servereqimage/2.52.20
wire-servereqchart=2.104.4,image=2.104.4
wire-servereqchart=2.107.11,image=2.107.11
wire-servereqdeb/3.15.1

Name	Operator	Version
wire-server	eq	image/4.12.28
wire-server	eq	chart=2.116.14,image=2.116.14
wire-server	eq	image/2.86.11
wire-server	eq	chart=2.116.47,image=2.116.47
wire-server	eq	image/2.116.38
wire-server	eq	image/2.117.8
wire-server	eq	image/2.52.20
wire-server	eq	chart=2.104.4,image=2.104.4
wire-server	eq	chart=2.107.11,image=2.107.11
wire-server	eq	deb/3.15.1