PT-2021-19908 · Wire · Wire

Published

2021-07-13

Updated

2021-07-16

CVE-2021-32755

CVSS v3.1

5.4

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Wire versions 3.82 through 3.83

Description The issue concerns the Wire collaboration platform, specifically the wire-ios-transport component that handles authentication and network failures for the iOS implementation. A new web socket implementation was introduced in version 3.82 for users running iOS 13 or higher, but it does not enforce certificate pinning when available. This lack of certificate pinning could potentially allow for man-in-the-middle attacks. Certificate pinning is enforced in versions 3.84 and above.

Recommendations For versions 3.82 and 3.83, update to version 3.84 or above to enforce certificate pinning for the new web socket implementation.

Fix

Improper Certificate Validation

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-295

Related Identifiers

CVE-2021-32755

GHSA-V8MX-H3VJ-W39V

Affected Products

Wire

PT-2021-19908 · Wire · Wire

CVE-2021-32755

Weakness Enumeration

Related Identifiers

Affected Products

References · 6