CVE-2023-48221 - OpenCVE

wire-avs provides Audio, Visual, and Signaling (AVS) functionality sure the secure messaging software Wire. Prior to versions 9.2.22 and 9.3.5, a remote format string vulnerability could potentially allow an attacker to cause a denial of service or possibly execute arbitrary code. The issue has been fixed in wire-avs 9.2.22 & 9.3.5 and is already included on all Wire products. No known workarounds are available.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required High

Scope Changed

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Wire	Audio\, Video\, And Signaling

Configuration 1 [-]

OR	cpe:2.3:a:wire:audio\,_video\,_and_signaling::::::::
	cpe:2.3:a:wire:audio\,_video\,_and_signaling::::::::

No data.

References

Link	Providers
https://github.com/wireapp/wire-avs/commit/364c3326a1331a84607bce2e17126306d39150cd
https://github.com/wireapp/wire-avs/security/advisories/GHSA-m4xg-fcr3-w3pq

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-11-20T17:18:19.030Z

Updated: 2024-08-02T21:23:39.025Z

Reserved: 2023-11-13T13:25:18.480Z

Link: CVE-2023-48221

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-11-20T18:15:06.850

Modified: 2023-11-29T20:51:57.723

Link: CVE-2023-48221

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-48221", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-11-13T13:25:18.480Z", "datePublished": "2023-11-20T17:18:19.030Z", "dateUpdated": "2024-08-02T21:23:39.025Z"}, "containers": {"cna": {"title": "wire-avs remote format string vulnerability ", "problemTypes": [{"descriptions": [{"cweId": "CWE-134", "lang": "en", "description": "CWE-134: Use of Externally-Controlled Format String", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/wireapp/wire-avs/security/advisories/GHSA-m4xg-fcr3-w3pq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/wireapp/wire-avs/security/advisories/GHSA-m4xg-fcr3-w3pq"}, {"name": "https://github.com/wireapp/wire-avs/commit/364c3326a1331a84607bce2e17126306d39150cd", "tags": ["x_refsource_MISC"], "url": "https://github.com/wireapp/wire-avs/commit/364c3326a1331a84607bce2e17126306d39150cd"}], "affected": [{"vendor": "wireapp", "product": "wire-avs", "versions": [{"version": "< 9.2.22", "status": "affected"}, {"version": ">= 9.3.0, < 9.3.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-11-20T17:18:19.030Z"}, "descriptions": [{"lang": "en", "value": "wire-avs provides Audio, Visual, and Signaling (AVS) functionality sure the secure messaging software Wire. Prior to versions 9.2.22 and 9.3.5, a remote format string vulnerability could potentially allow an attacker to cause a denial of service or possibly execute arbitrary code. The issue has been fixed in wire-avs 9.2.22 & 9.3.5 and is already included on all Wire products. No known workarounds are available."}], "source": {"advisory": "GHSA-m4xg-fcr3-w3pq", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T21:23:39.025Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/wireapp/wire-avs/security/advisories/GHSA-m4xg-fcr3-w3pq", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/wireapp/wire-avs/security/advisories/GHSA-m4xg-fcr3-w3pq"}, {"name": "https://github.com/wireapp/wire-avs/commit/364c3326a1331a84607bce2e17126306d39150cd", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/wireapp/wire-avs/commit/364c3326a1331a84607bce2e17126306d39150cd"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wire:audio\\,_video\\,_and_signaling:*:*:*:*:*:*:*:*", "matchCriteriaId": "0824D9AA-1F5B-4F7E-BB83-5472539AE5E2", "versionEndExcluding": "9.2.22", "vulnerable": true}, {"criteria": "cpe:2.3:a:wire:audio\\,_video\\,_and_signaling:*:*:*:*:*:*:*:*", "matchCriteriaId": "30DFE66C-5656-4EDF-95C5-9405B080A6AB", "versionEndIncluding": "9.3.5", "versionStartIncluding": "9.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "wire-avs provides Audio, Visual, and Signaling (AVS) functionality sure the secure messaging software Wire. Prior to versions 9.2.22 and 9.3.5, a remote format string vulnerability could potentially allow an attacker to cause a denial of service or possibly execute arbitrary code. The issue has been fixed in wire-avs 9.2.22 & 9.3.5 and is already included on all Wire products. No known workarounds are available."}, {"lang": "es", "value": "wire-avs proporciona funcionalidad de Audio, Visual, and Signaling (AVS) en el software de mensajer\u00eda segura Wire. Antes de las versiones 9.2.22 y 9.3.5, una vulnerabilidad de cadena de formato remoto podr\u00eda permitir a un atacante provocar una Denegaci\u00f3n de Servicio o posiblemente ejecutar c\u00f3digo arbitrario. El problema se solucion\u00f3 en wire-avs 9.2.22 y 9.3.5 y ya est\u00e1 incluido en todos los productos Wire. No hay workarounds conocidos disponibles."}], "id": "CVE-2023-48221", "lastModified": "2023-11-29T20:51:57.723", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-11-20T18:15:06.850", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/wireapp/wire-avs/commit/364c3326a1331a84607bce2e17126306d39150cd"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/wireapp/wire-avs/security/advisories/GHSA-m4xg-fcr3-w3pq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-134"}], "source": "security-advisories@github.com", "type": "Primary"}]}