CVE-2020-27853
CRITICALWire < 3.21.2936/3.21.3932/3.21.3959, 5.3-6.3, < 3.49.918, < 3.61 - RCE via SDP Media Attribute Format String
Title source: llmDescription
Wire before 2020-10-16 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a format string. This affects Wire AVS (Audio, Video, and Signaling) 5.3 through 6.x before 6.4, the Wire Secure Messenger application before 3.49.918 for Android, and the Wire Secure Messenger application before 3.61 for iOS. This occurs via the value parameter to sdp_media_set_lattr in peerflow/sdp.c.
References (2)
Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://github.com/wireapp/wire-audio-video-signaling/issues/23#issuecomment-710075689
Exploit, Third Party Advisory x_refsource_misc
http://github.security.telekom.com/2020/11/wire-secure-messenger-format-string-vulnerability.html
Scores
CVSS v3
9.8
EPSS
0.0378
EPSS Percentile
88.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-134
Status
published
Products (6)
wire/wire
< 3.21.2936
wire/wire
< 3.21.3932
wire/wire
< 3.21.3959
wire/wire_-_audio\,_video\,_and_signaling
5.3 - 6.4
wire/wire_secure_messenger
< 3.49.918
wire/wire_secure_messenger
< 3.61
Published
Oct 27, 2020
Tracked Since
Feb 18, 2026