{"id":"CVE-2021-41101","details":"wire-server is an open-source back end for Wire, a secure collaboration platform. Before version 2.106.0, the CORS ` Access-Control-Allow-Origin ` header set by `nginz` is set for all subdomains of `.wire.com` (including `wire.com`). This means that if somebody were to find an XSS vector in any of the subdomains, they could use it to talk to the Wire API using the user's Cookie. A patch does not exist, but a workaround does. To make sure that a compromise of one subdomain does not yield access to the cookie of another, one may limit the `Access-Control-Allow-Origin` header to apps that actually require the cookie (account-pages, team-settings and the webapp).","modified":"2026-04-10T04:38:11.783600Z","published":"2021-09-30T20:15:07.587Z","related":["GHSA-v7xx-cx8m-g66p"],"references":[{"type":"ADVISORY","url":"https://github.com/wireapp/wire-server/security/advisories/GHSA-v7xx-cx8m-g66p"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/wireapp/wire-server","events":[{"introduced":"0"},{"fixed":"c43d80488139605bc939a3b61613e9181c0553f9"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.106.0"}]}}],"versions":["chart=2.100.0,image=2.100.0","chart=2.100.9,image=2.100.9","chart=2.101.0,image=2.101.0","chart=2.102.0,image=2.102.0","chart=2.104.0,image=2.104.0","chart=2.105.0,image=2.105.0","chart=2.96.0,image=2.96.0","chart=2.96.5,image=2.96.5","chart=2.96.6,image=2.96.6","chart=2.97.0,image=2.97.0","chart=2.98.0,image=2.98.0","chart=2.99.12,image=2.99.12","deb/3.10.0","deb/3.11.0","deb/3.12.0","deb/3.13.0","deb/3.14.0","deb/3.14.7","deb/3.15.0","deb/3.16.0","deb/3.17.0","deb/3.18.0","deb/3.19.0","deb/3.2.0","deb/3.20.0","deb/3.21.0","deb/3.22.0","deb/3.23.0","deb/3.23.13","deb/3.24.0","deb/3.24.19","deb/3.25.0","deb/3.27.0","deb/3.27.12","deb/3.28.0","deb/3.29.0","deb/3.29.5","deb/3.3.0","deb/3.30.0","deb/3.30.7","deb/3.31.0","deb/3.32.0","deb/3.32.12","deb/3.33.0","deb/3.34.0","deb/3.35.0","deb/3.36.0","deb/3.37.0","deb/3.38.0","deb/3.38.1","deb/3.4.0","deb/3.5.0","deb/3.6.0","deb/3.6.8","deb/3.7.0","deb/3.7.22","deb/3.8.0","deb/3.9.0","image-2.50.315","image/2.100.0","image/2.100.9","image/2.101.0","image/2.102.0","image/2.103.0","image/2.103.3","image/2.104.0","image/2.105.0","image/2.50.341","image/2.51.0","image/2.52.0","image/2.53.0","image/2.54.0","image/2.55.0","image/2.56.0","image/2.57.0","image/2.57.1","image/2.58.0","image/2.59.0","image/2.60.0","image/2.60.1","image/2.61.0","image/2.62.0","image/2.63.0","image/2.63.1","image/2.64.0","image/2.65.0","image/2.66.0","image/2.67.0","image/2.67.1","image/2.68.0","image/2.69.0","image/2.70.0","image/2.70.10","image/2.70.11","image/2.70.12","image/2.70.13","image/2.70.14","image/2.70.16","image/2.70.17","image/2.70.18","image/2.70.19","image/2.70.20","image/2.70.21","image/2.70.3","image/2.70.4","image/2.70.5","image/2.70.6","image/2.70.7","image/2.70.8","image/2.70.9","image/2.72.2","image/2.72.3","image/2.73.10","image/2.73.11","image/2.73.12","image/2.73.13","image/2.73.14","image/2.73.2","image/2.73.3","image/2.73.4","image/2.73.5","image/2.73.6","image/2.73.7","image/2.73.8","image/2.73.9","image/2.74.0","image/2.75.0","image/2.76.0","image/2.77.0","image/2.78.0","image/2.79.0","image/2.80.0","image/2.80.8","image/2.81.0","image/2.81.19","image/2.82.0","image/2.83.0","image/2.84.0","image/2.85.0","image/2.85.6","image/2.86.0","image/2.87.0","image/2.88.0","image/2.89.0","image/2.90.0","image/2.90.18","image/2.91.0","image/2.93.0","image/2.94.0","image/2.95.0","image/2.96.0","image/2.96.6","image/2.97.0","image/2.97.7","image/2.98.0","image/2.99.0","image/2.99.12","v2018-10-04","v2018-11-28","v2018-12-06","v2019-01-10","v2019-01-24","v2019-02-18","v2019-02-22","v2019-02-28","v2019-03-25","v2019-04-09","v2019-05-02","v2019-07-08","v2019-08-08","v2019-09-03","v2019-09-16","v2019-09-30","v2019-11-06","v2019-11-28","v2019-12-20","v2020-01-09","v2020-02-18","v2020-02-27","v2020-03-10","v2020-04-15","v2020-04-21","v2020-05-07","v2020-05-15","v2020-06-03","v2020-06-10","v2020-06-19","v2020-07-13","v2020-07-29","v2020-09-04","v2020-10-05","v2020-10-28","v2020-11-25","v2020-12-15","v2020-12-21","v2021-01-12","v2021-02-16","v2021-02-25","v2021-03-02","v2021-03-21","v2021-03-22","v2021-03-23","v2021-05-04"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-41101.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N"}]}