Miggo Logo

CVE-2021-41193: Use of Externally-Controlled Format String in wire-avs

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.80564%
Published
3/1/2022
Updated
2/3/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
com.wire:avsmaven< 7.1.127.1.12

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability (CWE-134) explicitly involves format string exploitation. The commit 40d373e's file changes include modifications to wcall.c and audio_level.c, which are core components handling call processing and audio metrics. Format string vulnerabilities typically manifest in logging/error handling functions that improperly use user-controlled input as the format specifier. While the exact pre-patch code isn't visible, the file paths and vulnerability type strongly suggest these functions were using unsafe format string practices. The 'high' confidence for wcall_log stems from its role in call handling (a likely attack surface), while 'medium' for audio_level_log reflects its proximity to audio data processing but less direct attack relevance.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t * r*mot* *orm*t strin* vuln*r**ility *llow** *n *tt**k*r to **us* * **ni*l o* s*rvi** or possi*ly *x**ut* *r*itr*ry *o**. ### P*t***s * T** issu* **s ***n *ix** in wir*-*vs *.*.** *n* is *lr***y in*lu*** on *ll Wir* pro*u*ts (*urr*ntly us

Reasoning

T** vuln*r**ility (*W*-***) *xpli*itly involv*s *orm*t strin* *xploit*tion. T** *ommit *******'s *il* ***n**s in*lu** mo*i*i**tions to w**ll.* *n* *u*io_l*v*l.*, w*i** *r* *or* *ompon*nts **n*lin* **ll pro**ssin* *n* *u*io m*tri*s. *orm*t strin* vuln