CVE-2021-32755 MEDIUM

CVE-2021-32755: Certificate pinning is not enforced on the web socket connection

Vendor Wireapp
Product wire-ios-transport
Weakness CWE-295
Published July 13, 2021
Last update August 3, 2024

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

Wire is a collaboration platform. wire-ios-transport handles authentication of requests, network failures, and retries for the iOS implementation of Wire. In the 3.82 version of the iOS application, a new web socket implementation was introduced for users running iOS 13 or higher. This new websocket implementation is not configured to enforce certificate pinning when available. Certificate pinning for the new websocket is enforced in version 3.84 or above.

Key dates

02Disclosure timeline

July 13, 2021 CVE published
August 3, 2024 Record updated