CVE-2022-29168 : Security Advisory and Response
Learn about CVE-2022-29168 where Wire messaging application is vulnerable to arbitrary code execution due to a critical flaw, allowing attackers to fully control user accounts. Find out about the impact, affected systems, and mitigation steps.
Wire messaging application is vulnerable to arbitrary HTML and Javascript execution due to improper escaping when rendering
@mentionsUnderstanding CVE-2022-29168
This CVE highlights a critical vulnerability in Wire messages that allows attackers to execute arbitrary code within the context of the victim.
What is CVE-2022-29168?
Wire, a secure messaging application, is susceptible to arbitrary code execution through insufficient escaping during the rendering of
@mentionsThe Impact of CVE-2022-29168
The impact of this CVE is critical, with a CVSS base score of 9.6 (Critical). With high impacts on confidentiality, integrity, and availability, attackers can exploit this vulnerability through network access without any privileges.
Technical Details of CVE-2022-29168
The technical details shed light on the vulnerability description, affected systems and versions, and the exploitation mechanism.
Vulnerability Description
The vulnerability allows for arbitrary HTML and Javascript execution within Wire messages, leading to full user account compromise.
Affected Systems and Versions
Versions of wire-webapp prior to 2022-05-04-production.0 and 2022-05-04-production.0-v0.29.7-0-a6f2ded are affected. Wire-desktop clients connected to vulnerable wire-webapp versions are also at risk.
Exploitation Mechanism
Attackers can exploit this vulnerability by sending malicious messages containing the payload. When a user views the message, the code gets executed, giving the attacker control over the victim's account.
Mitigation and Prevention
To prevent exploitation, immediate steps and long-term security practices are recommended along with patching and updating procedures.
Immediate Steps to Take
All instances of wire-webapp should be updated to versions 2022-05-04-production.0 and 2022-05-04-production.0-v0.29.7-0-a6f2ded deployed by Wire. No known workarounds are available.
Long-Term Security Practices
Regularly update Wire applications and components to the latest secure versions. Educate users about safe messaging practices to prevent such attacks.
Patching and Updates
Ensure on-premise instances are updated to docker tag 2022-05-04-production.0-v0.29.7-0-a6f2ded or wire-server 2022-05-04 (chart/4.11.0) or later to mitigate the vulnerability.