CVE-2021-41094 MEDIUM

CVE-2021-41094: Mandatory encryption at rest can be bypassed (UI) in Wire app

Vendor Wireapp
Product wire-ios
Weakness CWE-668
Published October 4, 2021
Last update August 4, 2024

CVSS base score

4.2/10
Attack vector Local
Attack complexity Low
Privileges required High
User interaction Required
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Wire is an open source secure messenger. Users of Wire by Bund may bypass the mandatory encryption at rest feature by simply disabling their device passcode. Upon launching, the app will attempt to enable encryption at rest by generating encryption keys via the Secure Enclave, however it will fail silently if no device passcode is set. The user has no indication that encryption at rest is not active since the feature is hidden to them. This issue has been resolved in version 3.70

Key dates

02Disclosure timeline

October 4, 2021 CVE published
August 4, 2024 Record updated