Skip to content

DoS vulnerability: Invalid Accent Colors

Moderate
comawill published GHSA-83m6-p7x5-925j Jun 21, 2022

Package

wire-ios (wire)

Affected versions

<3.100

Patched versions

3.100

Description

Impact

Invalid accent colors of Wire communication partners may render the iOS Wire Client partially unusable by causing it to crash multiple times on launch.
These invalid accent colors can be used by and sent between Wire users.

The root cause was a unnecessary assert statement when converting a integer value into the corresponding enum value.
This assert caused an exception instead of a fallback to a default value.

This causes undesirable behavior, however the (greater) Wire system is still functional.

Patches

  • The root cause was fixed in wire-ios
  • Wire for iOS 3.100

Workarounds

There is no workaround available, but users may use other Wire clients (such as the web app) to continue using Wire.

Credits

We thank Markus Vervier of X41 for reporting this vulnerability!

Severity

Moderate
5.7
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

CVE ID

CVE-2022-31009

Weaknesses

No CWEs