CVE-2021-41100

Name of the Vulnerable Software and Affected Versions Wire-server versions prior to 2021-08-16

Description The issue allows an attacker to trigger an email address change of a user with only the short-lived session token in the Authorization header, constituting a privilege escalation attack. This can result in an account takeover by the attacker, as they can change the password after setting the email address to one they control. The short-lived tokens are used more often and in the shape of an HTTP header, increasing the risk of exposure to an attacker. If you are running an on-prem instance and provision all users with SCIM, you are not affected by this issue. SAML single-sign-on is unaffected by this issue. The vulnerable endpoint is /self/email, which only accepts PUT and DELETE requests.

Recommendations For versions prior to 2021-08-16, update to version 2021-08-16 or later, which provides a new endpoint that requires both the long-lived client cookie and Authorization header. As a temporary workaround for on-prem instances that cannot be updated and have at least some users invited or provisioned via SAML SSO, block the /self/email endpoint on nginz or in any other proxies or firewalls.