CVE-2021-41193: Use of Externally-Controlled Format String in wire-avs
9.8
Basic Information
Technical Details
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
com.wire:avs | maven | < 7.1.12 | 7.1.12 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability (CWE-134) explicitly involves format string exploitation. The commit 40d373e's file changes include modifications to wcall.c and audio_level.c, which are core components handling call processing and audio metrics. Format string vulnerabilities typically manifest in logging/error handling functions that improperly use user-controlled input as the format specifier. While the exact pre-patch code isn't visible, the file paths and vulnerability type strongly suggest these functions were using unsafe format string practices. The 'high' confidence for wcall_log stems from its role in call handling (a likely attack surface), while 'medium' for audio_level_log reflects its proximity to audio data processing but less direct attack relevance.