CVE-2020-27853

CRITICAL

Wire < 3.21.2936 - Format String Vulnerability

Title source: rule

Description

Wire before 2020-10-16 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a format string. This affects Wire AVS (Audio, Video, and Signaling) 5.3 through 6.x before 6.4, the Wire Secure Messenger application before 3.49.918 for Android, and the Wire Secure Messenger application before 3.61 for iOS. This occurs via the value parameter to sdp_media_set_lattr in peerflow/sdp.c.

References (2)

[Exploit, Third Party Advisory] https://github.com/wireapp/wire-audio-video-signaling/issues/23#issuecomment-710075689

[Exploit, Third Party Advisory] http://github.security.telekom.com/2020/11/wire-secure-messenger-format-string-vulnerability.html

Scores

CVSS v3 9.8

EPSS 0.0322

EPSS Percentile 87.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-134

Status published

Products (6)

wire/wire < 3.21.2936

wire/wire < 3.21.3932

wire/wire < 3.21.3959

wire/wire_-_audio\,_video\,_and_signaling 5.3 - 6.4

wire/wire_secure_messenger < 3.49.918

wire/wire_secure_messenger < 3.61

Published Oct 27, 2020

Tracked Since Feb 18, 2026