Impact
Due to a missing permissions check, every member of a Conversation can remove a Bot from this Conversation.
Only Conversation admins should be able to remove Bots, regular Conversations are not allowed to do so.
Patches
- The issue is fixed in wire-server 2022-12-09 and is already deployed on all Wire managed services.
- On-premise instances of wire-server need to be updated to 2022-12-09/Chart 4.29.0, so that their backends are no longer affected.
Workarounds
For more information
If you have any questions or comments about this advisory feel free to email us at vulnerability-report@wire.com
Impact
Due to a missing permissions check, every member of a Conversation can remove a Bot from this Conversation.
Only Conversation admins should be able to remove Bots, regular Conversations are not allowed to do so.
Patches
Workarounds
For more information
If you have any questions or comments about this advisory feel free to email us at vulnerability-report@wire.com