CVE-2022-24799
📋 TL;DR
This is a cross-site scripting (XSS) vulnerability in Wire's web application interface that allows attackers to inject and execute arbitrary JavaScript code through malicious markdown messages. When exploited, it enables full account takeover of victims who view the malicious messages. Both Wire web application users and desktop clients connected to vulnerable instances are affected.
💻 Affected Systems
- wire-webapp
- wire-desktop
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of user accounts, allowing attackers to read all messages, send messages as the victim, access contacts, and potentially pivot to other systems.
Likely Case
Account takeover leading to data theft, unauthorized message sending, and potential lateral movement within the organization.
If Mitigated
No impact if patched; unpatched systems remain fully vulnerable to account compromise.
🎯 Exploit Status
Exploitation requires sending a malicious message to a victim who views it. The vulnerability is in markdown code highlighting parsing.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: wire-webapp 2022-03-30-production.0 or docker tag 2022-03-30-production.0-v0.29.2-0-d144552 or wire-server 2022-03-30 (chart/4.8.0)
Vendor Advisory: https://github.com/wireapp/wire-webapp/security/advisories/GHSA-5568-rfh8-vmhq
Restart Required: Yes
Instructions:
1. Update wire-webapp to version 2022-03-30-production.0 or later. 2. For on-premise instances, update to docker tag 2022-03-30-production.0-v0.29.2-0-d144552 or wire-server 2022-03-30 (chart/4.8.0). 3. Restart the application services.
🔧 Temporary Workarounds
No workarounds available
allThe vendor states there are no known workarounds for this vulnerability.
🧯 If You Can't Patch
- Isolate vulnerable instances from internet access to reduce attack surface
- Implement strict monitoring for suspicious message patterns and account activity
🔍 How to Verify
Check if Vulnerable:
Check wire-webapp version; if earlier than 2022-03-30-production.0, the system is vulnerable.Check Version:
Check application version in web interface or container metadata; for docker: docker inspect wire-webapp | grep versionVerify Fix Applied:
Confirm wire-webapp version is 2022-03-30-production.0 or later, or docker tag includes 2022-03-30-production.0-v0.29.2-0-d144552.📡 Detection & Monitoring
Log Indicators:
- Unusual message patterns with HTML/JavaScript in markdown code blocks
- Multiple failed login attempts or account access from new locations
Network Indicators:
- Unusual outbound connections from wire-webapp instances
- Suspicious message payloads in traffic
SIEM Query:
Search for messages containing script tags or JavaScript code within markdown code highlighting syntax in application logs.🔗 References
- https://github.com/wireapp/wire-webapp/commit/d14455252a949dc83f36d45e2babbdd9328af2a4
- https://github.com/wireapp/wire-webapp/releases/tag/2022-03-30-production.0
- https://github.com/wireapp/wire-webapp/security/advisories/GHSA-5568-rfh8-vmhq
- https://github.com/wireapp/wire-webapp/commit/d14455252a949dc83f36d45e2babbdd9328af2a4
- https://github.com/wireapp/wire-webapp/releases/tag/2022-03-30-production.0
- https://github.com/wireapp/wire-webapp/security/advisories/GHSA-5568-rfh8-vmhq
