wire-server provides back end services for Wire, a team communication and collaboration platform. Prior to version 2022-12-09, every member of a Conversation can remove a Bot from a Conversation due to a missing permissions check. Only Conversation admins should be able to remove Bots. Regular Conversations are not allowed to do so. The issue is fixed in wire-server 2022-12-09 and is already deployed on all Wire managed services. On-premise instances of wire-server need to be updated to 2022-12-09/Chart 4.29.0, so that their backends are no longer affected. There are no known workarounds.
The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state.
| Link | Tags |
|---|---|
| https://github.com/wireapp/wire-server/security/advisories/GHSA-xmjc-c6w3-pcp4 | third party advisory |
| https://github.com/wireapp/wire-server/pull/2870 | third party advisory patch |
| https://github.com/wireapp/wire-server/commit/494a6881f5895d4ed9e5d011455242be0d5e6223 | third party advisory patch |
| https://github.com/wireapp/wire-server/releases/tag/v2022-12-09 | third party advisory release notes |