CVE-2021-21396

Name of the Vulnerable Software and Affected Versions wire-server versions 2021-02-16 through 2021-03-02

Description The client metadata of all users was exposed in the "GET /users/list-clients" endpoint. This endpoint could be used by any logged-in user to request client details of any other user, as long as they could find their User ID. The exposed metadata included id, class, type, location, time, and cookie. A user on a Wire backend could use this endpoint to find registration time and location for each device for a given list of users.

Recommendations For versions 2021-02-16 through 2021-03-02, update to version 2021-03-02 to resolve the issue. As a temporary workaround, consider removing "/list-clients" from the nginx config to minimize the risk of exploitation.