CORS `Access-Control-Allow-Origin` settings are too lenient
CVE-2021-41101

5.7MEDIUM

Key Information:

Vendor: Wireapp
Status: Wire-server
Vendor: CVE Published:; 30 September 2021

What is CVE-2021-41101?

wire-server is an open-source back end for Wire, a secure collaboration platform. Before version 2.106.0, the CORS Access-Control-Allow-Origin header set by nginz is set for all subdomains of .wire.com (including wire.com). This means that if somebody were to find an XSS vector in any of the subdomains, they could use it to talk to the Wire API using the user's Cookie. A patch does not exist, but a workaround does. To make sure that a compromise of one subdomain does not yield access to the cookie of another, one may limit the Access-Control-Allow-Origin header to apps that actually require the cookie (account-pages, team-settings and the webapp).

Affected Version(s)

wire-server < 2.106.0

References

https://github.com/wireapp/wire-server/security/advisorie...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.7

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 30, 2021
Vulnerability Reserved
Sep 15, 2021

CVE-2021-41101 Data

JSON

Wireapp

What is CVE-2021-41101?

Affected Version(s)

References

CVSS V3.1

Timeline