CVE-2023-22737

Name of the Vulnerable Software and Affected Versions wire-server versions prior to 2022-12-09

Description The issue is related to a missing permissions check in wire-server, which provides back end services for Wire, a team communication and collaboration platform. Due to this, every member of a Conversation can remove a Bot from a Conversation, although only Conversation admins should have this ability. The issue is fixed in wire-server version 2022-12-09 and has been deployed on all Wire managed services.

Recommendations For wire-server versions prior to 2022-12-09, update to version 2022-12-09 or Chart 4.29.0 to resolve the issue. On-premise instances of wire-server should prioritize this update to prevent further exploitation. As a temporary workaround, consider restricting the ability to remove Bots from Conversations to only Conversation admins until the update can be applied.