Raphaelrobert

**Name of the Vulnerable Software and Affected Versions** wire-server versions 2021-02-16 through 2021-03-02 **Description** The client metadata of all users was exposed in the "GET /users/list-clients" endpoint. This endpoint could be used by any logged-in user to request client details of any other user, as long as they could find their User ID. The exposed metadata included `id`, `class`, `type`, `location`, `time`, and `cookie`. A user on a Wire backend could use this endpoint to find registration time and location for each device for a given list of users. **Recommendations** For versions 2021-02-16 through 2021-03-02, update to version 2021-03-02 to resolve the issue. As a temporary workaround, consider removing "/list-clients" from the nginx config to minimize the risk of exploitation.