CVE-2020-27853

Name of the Vulnerable Software and Affected Versions Wire versions prior to 2020-10-16 Wire AVS (Audio, Video, and Signaling) versions 5.3 through 6.x before 6.4 Wire Secure Messenger application versions prior to 3.49.918 for Android Wire Secure Messenger application versions prior to 3.61 for iOS

Description The issue is related to the use of uncontrolled format strings in the sdp media set lattr() function of the Wire Secure Messenger application. This could allow a remote attacker to execute arbitrary code or cause a denial of service. The vulnerability is exploited via the value parameter to sdp media set lattr in peerflow/sdp.c.

Recommendations For Wire AVS (Audio, Video, and Signaling) versions 5.3 through 6.x before 6.4, update to version 6.4 or later. For Wire Secure Messenger application versions prior to 3.49.918 for Android, update to version 3.49.918 or later. For Wire Secure Messenger application versions prior to 3.61 for iOS, update to version 3.61 or later. As a temporary workaround, consider restricting access to the sdp media set lattr function in peerflow/sdp.c until a patch is available.