Vulnerabilites related to matrix - javascript_sdk
Vulnerability from fkie_nvd
Published
2022-09-28 17:15
Modified
2024-11-21 07:17
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Summary
Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. Starting with version 17.1.0-rc.1, improperly formed beacon events can disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer's ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer. This is patched in matrix-js-sdk v19.7.0. Redacting applicable events, waiting for the sync processor to store data, and restarting the client are possible workarounds. Alternatively, redacting the applicable events and clearing all storage will fix the further perceived issues. Downgrading to an unaffected version, noting that such a version may be subject to other vulnerabilities, will additionally resolve the issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| matrix | javascript_sdk | * | |
| matrix | javascript_sdk | 17.1.0 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:matrix:javascript_sdk:*:*:*:*:*:node.js:*:*", matchCriteriaId: "68424611-6925-4DD4-B193-52CE6264CACB", versionEndExcluding: "19.7.0", versionStartIncluding: "17.1.0", vulnerable: true, }, { criteria: "cpe:2.3:a:matrix:javascript_sdk:17.1.0:rc1:*:*:*:node.js:*:*", matchCriteriaId: "AEA15F9B-21FD-432C-B484-1AB439E5BE82", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. Starting with version 17.1.0-rc.1, improperly formed beacon events can disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer's ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer. This is patched in matrix-js-sdk v19.7.0. Redacting applicable events, waiting for the sync processor to store data, and restarting the client are possible workarounds. Alternatively, redacting the applicable events and clearing all storage will fix the further perceived issues. Downgrading to an unaffected version, noting that such a version may be subject to other vulnerabilities, will additionally resolve the issue.", }, { lang: "es", value: "Matrix Javascript SDK es el SDK cliente-servidor de Matrix para JavaScript. A partir de la versión 17.1.0-rc.1, los eventos de baliza formados inapropiadamente pueden interrumpir o impedir que matrix-js-sdk funcione apropiadamente, afectando potencialmente la capacidad del consumidor para procesar datos de forma segura. Obsérvese que matrix-js-sdk puede parecer que funciona normalmente pero estar excluyendo o corrompiendo los datos en tiempo de ejecución presentados al consumidor. Esto está parcheado en matrix-js-sdk v19.7.0. Redactar los eventos aplicables, esperar a que el procesador de sincronización almacene los datos y reiniciar el cliente son posibles mitigaciones. Alternativamente, redactar los eventos aplicables y borrar todo el almacenamiento corregirá los problemas percibidos. La actualización a una versión no afectada, teniendo en cuenta que dicha versión puede estar sujeta a otras vulnerabilidades, también resolverá el problema", }, ], id: "CVE-2022-39236", lastModified: "2024-11-21T07:17:50.800", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 1.4, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 1.4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-09-28T17:15:11.133", references: [ { source: "security-advisories@github.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76", }, { source: "security-advisories@github.com", tags: [ "Release Notes", "Third Party Advisory", ], url: "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.7.0", }, { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-hvv8-5v86-r45x", }, { source: "security-advisories@github.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/matrix-org/matrix-spec-proposals/pull/3488", }, { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://security.gentoo.org/glsa/202210-35", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", "Third Party Advisory", ], url: "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.7.0", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-hvv8-5v86-r45x", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/matrix-org/matrix-spec-proposals/pull/3488", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.gentoo.org/glsa/202210-35", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-20", }, ], source: "security-advisories@github.com", type: "Secondary", }, { description: [ { lang: "en", value: "NVD-CWE-noinfo", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-12-14 14:15
Modified
2024-11-21 06:31
Severity ?
Summary
The olm_session_describe function in Matrix libolm before 3.2.7 is vulnerable to a buffer overflow. The Olm session object represents a cryptographic channel between two parties. Therefore, its state is partially controllable by the remote party of the channel. Attackers can construct a crafted sequence of messages to manipulate the state of the receiver's session in such a way that, for some buffer sizes, a buffer overflow happens on a call to olm_session_describe. Furthermore, safe buffer sizes were undocumented. The overflow content is partially controllable by the attacker and limited to ASCII spaces and digits. The known affected products are Element Web And SchildiChat Web.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://gitlab.matrix.org/matrix-org/olm/-/tags | Product, Third Party Advisory | |
| cve@mitre.org | https://lists.debian.org/debian-lts-announce/2022/01/msg00001.html | Mailing List, Third Party Advisory | |
| cve@mitre.org | https://matrix.org/blog/2021/12/13/disclosure-buffer-overflow-in-libolm-and-matrix-js-sdk | Patch, Vendor Advisory | |
| cve@mitre.org | https://www.debian.org/security/2022/dsa-5034 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://gitlab.matrix.org/matrix-org/olm/-/tags | Product, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.debian.org/debian-lts-announce/2022/01/msg00001.html | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://matrix.org/blog/2021/12/13/disclosure-buffer-overflow-in-libolm-and-matrix-js-sdk | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.debian.org/security/2022/dsa-5034 | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| matrix | element | * | |
| matrix | element | * | |
| matrix | javascript_sdk | * | |
| matrix | olm | * | |
| schildi | schildichat | * | |
| schildi | schildichat | * | |
| cinny_project | cinny | * | |
| debian | debian_linux | 9.0 | |
| debian | debian_linux | 10.0 | |
| debian | debian_linux | 11.0 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:matrix:element:*:*:*:*:desktop:*:*:*", matchCriteriaId: "50D6A7E8-2090-4176-8BF2-CC4FBDB230A0", versionEndExcluding: "1.9.7", vulnerable: true, }, { criteria: "cpe:2.3:a:matrix:element:*:*:*:*:web:*:*:*", matchCriteriaId: "C55680D8-A282-4ACF-937A-FF568EF253A5", versionEndExcluding: "1.9.7", vulnerable: true, }, { criteria: "cpe:2.3:a:matrix:javascript_sdk:*:*:*:*:*:*:*:*", matchCriteriaId: "F5FD9553-7738-44D7-B29A-687F292F9EFB", versionEndExcluding: "15.2.1", versionStartIncluding: "2.4.2", vulnerable: true, }, { criteria: "cpe:2.3:a:matrix:olm:*:*:*:*:*:*:*:*", matchCriteriaId: "9AA69814-4AB7-4F75-8E64-3BF1B70B157D", versionEndExcluding: "3.2.8", versionStartIncluding: "3.1.4", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:schildi:schildichat:*:*:*:*:desktop:*:*:*", matchCriteriaId: "D0498DDF-E353-41F4-BF91-4A765BDCC955", versionEndExcluding: "1.9.7-sc1", vulnerable: true, }, { criteria: "cpe:2.3:a:schildi:schildichat:*:*:*:*:web:*:*:*", matchCriteriaId: "D8B93183-5BDA-4399-9E8B-EBD214B106FE", versionEndExcluding: "1.9.7-sc1", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:cinny_project:cinny:*:*:*:*:*:*:*:*", matchCriteriaId: "B3620442-82E2-4655-BDD9-AD86FD571197", versionEndExcluding: "1.6.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", matchCriteriaId: "DEECE5FC-CACF-4496-A3E7-164736409252", vulnerable: true, }, { criteria: "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", matchCriteriaId: "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", vulnerable: true, }, { criteria: "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", matchCriteriaId: "FA6FEEC2-9F11-4643-8827-749718254FED", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The olm_session_describe function in Matrix libolm before 3.2.7 is vulnerable to a buffer overflow. The Olm session object represents a cryptographic channel between two parties. Therefore, its state is partially controllable by the remote party of the channel. Attackers can construct a crafted sequence of messages to manipulate the state of the receiver's session in such a way that, for some buffer sizes, a buffer overflow happens on a call to olm_session_describe. Furthermore, safe buffer sizes were undocumented. The overflow content is partially controllable by the attacker and limited to ASCII spaces and digits. The known affected products are Element Web And SchildiChat Web.", }, { lang: "es", value: "La función olm_session_describe en Matrix libolm versiones anteriores a 3.2.7, es vulnerable a un desbordamiento de búfer. El objeto Olm session representa un canal criptográfico entre dos partes. Por lo tanto, su estado es parcialmente controlable por la parte remota del canal. Los atacantes pueden construir una secuencia de mensajes manipulada para manipular el estado de la sesión del receptor de tal manera que, para algunos tamaños de búfer, se produzca un desbordamiento de búfer en una llamada a olm_session_describe. Además, los tamaños de búfer seguros no estaban documentados. El contenido del desbordamiento es parcialmente controlable por el atacante y se limita a espacios y dígitos ASCII. Los productos afectados conocidos son Element Web y SchildiChat Web", }, ], id: "CVE-2021-44538", lastModified: "2024-11-21T06:31:11.483", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-12-14T14:15:09.410", references: [ { source: "cve@mitre.org", tags: [ "Product", "Third Party Advisory", ], url: "https://gitlab.matrix.org/matrix-org/olm/-/tags", }, { source: "cve@mitre.org", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.debian.org/debian-lts-announce/2022/01/msg00001.html", }, { source: "cve@mitre.org", tags: [ "Patch", "Vendor Advisory", ], url: "https://matrix.org/blog/2021/12/13/disclosure-buffer-overflow-in-libolm-and-matrix-js-sdk", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://www.debian.org/security/2022/dsa-5034", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Product", "Third Party Advisory", ], url: "https://gitlab.matrix.org/matrix-org/olm/-/tags", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.debian.org/debian-lts-announce/2022/01/msg00001.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Vendor Advisory", ], url: "https://matrix.org/blog/2021/12/13/disclosure-buffer-overflow-in-libolm-and-matrix-js-sdk", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.debian.org/security/2022/dsa-5034", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-119", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-04-14 19:15
Modified
2024-11-21 07:57
Severity ?
5.0 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
matrix-js-sdk is the Matrix Client-Server SDK for JavaScript and TypeScript. An attacker present in a room where an MSC3401 group call is taking place can eavesdrop on the video and audio of participants using matrix-js-sdk, without their knowledge. To affected matrix-js-sdk users, the attacker will not appear to be participating in the call. This attack is possible because matrix-js-sdk's group call implementation accepts incoming direct calls from other users, even if they have not yet declared intent to participate in the group call, as a means of resolving a race condition in call setup. Affected versions do not restrict access to the user's outbound media in this case. Legacy 1:1 calls are unaffected. This is fixed in matrix-js-sdk 24.1.0. As a workaround, users may hold group calls in private rooms where only the exact users who are expected to participate in the call are present.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| matrix | javascript_sdk | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:matrix:javascript_sdk:*:*:*:*:*:node.js:*:*", matchCriteriaId: "F434D632-322B-4A24-A585-53A983E63A6A", versionEndExcluding: "24.1.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "matrix-js-sdk is the Matrix Client-Server SDK for JavaScript and TypeScript. An attacker present in a room where an MSC3401 group call is taking place can eavesdrop on the video and audio of participants using matrix-js-sdk, without their knowledge. To affected matrix-js-sdk users, the attacker will not appear to be participating in the call. This attack is possible because matrix-js-sdk's group call implementation accepts incoming direct calls from other users, even if they have not yet declared intent to participate in the group call, as a means of resolving a race condition in call setup. Affected versions do not restrict access to the user's outbound media in this case. Legacy 1:1 calls are unaffected. This is fixed in matrix-js-sdk 24.1.0. As a workaround, users may hold group calls in private rooms where only the exact users who are expected to participate in the call are present.", }, ], id: "CVE-2023-29529", lastModified: "2024-11-21T07:57:14.377", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", version: "3.1", }, exploitabilityScore: 3.1, impactScore: 1.4, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 1.4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-04-14T19:15:09.400", references: [ { source: "security-advisories@github.com", tags: [ "Release Notes", ], url: "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v24.1.0", }, { source: "security-advisories@github.com", tags: [ "Vendor Advisory", ], url: "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-6g67-q39g-r79q", }, { source: "security-advisories@github.com", tags: [ "Issue Tracking", "Patch", ], url: "https://github.com/matrix-org/matrix-spec-proposals/pull/3401", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", ], url: "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v24.1.0", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-6g67-q39g-r79q", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Patch", ], url: "https://github.com/matrix-org/matrix-spec-proposals/pull/3401", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-862", }, ], source: "security-advisories@github.com", type: "Secondary", }, { description: [ { lang: "en", value: "NVD-CWE-noinfo", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-09-28 20:15
Modified
2024-11-21 07:17
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Summary
Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. Prior to version 19.7.0, an attacker cooperating with a malicious homeserver can construct messages appearing to have come from another person. Such messages will be marked with a grey shield on some platforms, but this may be missing in others. This attack is possible due to the matrix-js-sdk implementing a too permissive key forwarding strategy on the receiving end. Starting with version 19.7.0, the default policy for accepting key forwards has been made more strict in the matrix-js-sdk. matrix-js-sdk will now only accept forwarded keys in response to previously issued requests and only from own, verified devices. The SDK now sets a `trusted` flag on the decrypted message upon decryption, based on whether the key used to decrypt the message was received from a trusted source. Clients need to ensure that messages decrypted with a key with `trusted = false` are decorated appropriately, for example, by showing a warning for such messages. This attack requires coordination between a malicious homeserver and an attacker, and those who trust your homeservers do not need a workaround.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| matrix | javascript_sdk | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:matrix:javascript_sdk:*:*:*:*:*:node.js:*:*", matchCriteriaId: "4755C737-8BCE-49AF-8D23-CD3D36F9EDA7", versionEndExcluding: "19.7.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. Prior to version 19.7.0, an attacker cooperating with a malicious homeserver can construct messages appearing to have come from another person. Such messages will be marked with a grey shield on some platforms, but this may be missing in others. This attack is possible due to the matrix-js-sdk implementing a too permissive key forwarding strategy on the receiving end. Starting with version 19.7.0, the default policy for accepting key forwards has been made more strict in the matrix-js-sdk. matrix-js-sdk will now only accept forwarded keys in response to previously issued requests and only from own, verified devices. The SDK now sets a `trusted` flag on the decrypted message upon decryption, based on whether the key used to decrypt the message was received from a trusted source. Clients need to ensure that messages decrypted with a key with `trusted = false` are decorated appropriately, for example, by showing a warning for such messages. This attack requires coordination between a malicious homeserver and an attacker, and those who trust your homeservers do not need a workaround.", }, { lang: "es", value: "Matrix Javascript SDK es el SDK cliente-servidor de Matrix para JavaScript. En versiones anteriores a 19.7.0, un atacante que coopere con un servidor doméstico malicioso puede construir mensajes que parezcan proceder de otra persona. Dichos mensajes estarán marcados con un escudo gris en algunas plataformas, pero éste puede faltar en otras. Este ataque es posible debido a que matrix-js-sdk implementa una estrategia de reenvío de claves demasiado permisiva en el extremo receptor. A partir de la versión 19.7.0, la política por defecto para aceptar reenvíos de claves se ha hecho más estricta en matrix-js-sdk. matrix-js-sdk ahora sólo aceptará claves reenviadas en respuesta a peticiones previamente emitidas y sólo de dispositivos propios y verificados. El SDK ahora establece un flag \"trusted\" en el mensaje descifrado al descifrarlo, basándose en si la clave usada para descifrar el mensaje es recibida de una fuente confiable. Los clientes deben asegurarse de que los mensajes descifrados con una clave con \"trusted = false\" sean decorados adecuadamente, por ejemplo, mostrando una advertencia para tales mensajes. Este ataque requiere la coordinación entre un servidor doméstico malicioso y un atacante, y aquellos que confían en sus servidores domésticos no necesitan una mitigación", }, ], id: "CVE-2022-39249", lastModified: "2024-11-21T07:17:52.443", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-09-28T20:15:16.127", references: [ { source: "security-advisories@github.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76", }, { source: "security-advisories@github.com", tags: [ "Release Notes", "Third Party Advisory", ], url: "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.7.0", }, { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-6263-x97c-c4gg", }, { source: "security-advisories@github.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/matrix-org/matrix-spec-proposals/pull/3061", }, { source: "security-advisories@github.com", tags: [ "Vendor Advisory", ], url: "https://matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients", }, { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://security.gentoo.org/glsa/202210-35", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", "Third Party Advisory", ], url: "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.7.0", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-6263-x97c-c4gg", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/matrix-org/matrix-spec-proposals/pull/3061", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.gentoo.org/glsa/202210-35", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-287", }, { lang: "en", value: "CWE-322", }, ], source: "security-advisories@github.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-287", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-03-28 21:15
Modified
2024-11-21 07:55
Severity ?
8.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
8.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
8.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Summary
matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. In versions prior to 24.0.0 events sent with special strings in key places can temporarily disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer's ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer. This vulnerability is distinct from GHSA-rfv9-x7hh-xc32 which covers a similar issue. The issue has been patched in matrix-js-sdk 24.0.0 and users are advised to upgrade. There are no known workarounds for this vulnerability.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| matrix | javascript_sdk | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:matrix:javascript_sdk:*:*:*:*:*:node.js:*:*", matchCriteriaId: "F62FDB36-FCF3-46AF-B806-FB5ADD18B0FD", versionEndExcluding: "24.0.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. In versions prior to 24.0.0 events sent with special strings in key places can temporarily disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer's ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer. This vulnerability is distinct from GHSA-rfv9-x7hh-xc32 which covers a similar issue. The issue has been patched in matrix-js-sdk 24.0.0 and users are advised to upgrade. There are no known workarounds for this vulnerability.", }, ], id: "CVE-2023-28427", lastModified: "2024-11-21T07:55:02.590", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.2, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 4.2, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.2, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 4.2, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-03-28T21:15:11.057", references: [ { source: "security-advisories@github.com", tags: [ "Vendor Advisory", ], url: "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-mwq8-fjpf-c2gr", }, { source: "security-advisories@github.com", url: "https://lists.debian.org/debian-lts-announce/2023/04/msg00027.html", }, { source: "security-advisories@github.com", tags: [ "Vendor Advisory", ], url: "https://matrix.org/blog/2023/03/28/security-releases-matrix-js-sdk-24-0-0-and-matrix-react-sdk-3-69-0", }, { source: "security-advisories@github.com", url: "https://security.gentoo.org/glsa/202305-36", }, { source: "security-advisories@github.com", url: "https://www.debian.org/security/2023/dsa-5392", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-mwq8-fjpf-c2gr", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.debian.org/debian-lts-announce/2023/04/msg00027.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://matrix.org/blog/2023/03/28/security-releases-matrix-js-sdk-24-0-0-and-matrix-react-sdk-3-69-0", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://security.gentoo.org/glsa/202305-36", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://www.debian.org/security/2023/dsa-5392", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-1321", }, ], source: "security-advisories@github.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-09-29 13:15
Modified
2024-11-21 07:17
Severity ?
8.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Summary
Matrix JavaScript SDK is the Matrix Client-Server software development kit (SDK) for JavaScript. Prior to version 19.7.0, an attacker cooperating with a malicious homeserver could interfere with the verification flow between two users, injecting its own cross-signing user identity in place of one of the users’ identities. This would lead to the other device trusting/verifying the user identity under the control of the homeserver instead of the intended one. The vulnerability is a bug in the matrix-js-sdk, caused by checking and signing user identities and devices in two separate steps, and inadequately fixing the keys to be signed between those steps. Even though the attack is partly made possible due to the design decision of treating cross-signing user identities as Matrix devices on the server side (with their device ID set to the public part of the user identity key), no other examined implementations were vulnerable. Starting with version 19.7.0, the matrix-js-sdk has been modified to double check that the key signed is the one that was verified instead of just referencing the key by ID. An additional check has been made to report an error when one of the device ID matches a cross-signing key. As this attack requires coordination between a malicious homeserver and an attacker, those who trust their homeservers do not need a particular workaround.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| matrix | javascript_sdk | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:matrix:javascript_sdk:*:*:*:*:*:node.js:*:*", matchCriteriaId: "4755C737-8BCE-49AF-8D23-CD3D36F9EDA7", versionEndExcluding: "19.7.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Matrix JavaScript SDK is the Matrix Client-Server software development kit (SDK) for JavaScript. Prior to version 19.7.0, an attacker cooperating with a malicious homeserver could interfere with the verification flow between two users, injecting its own cross-signing user identity in place of one of the users’ identities. This would lead to the other device trusting/verifying the user identity under the control of the homeserver instead of the intended one. The vulnerability is a bug in the matrix-js-sdk, caused by checking and signing user identities and devices in two separate steps, and inadequately fixing the keys to be signed between those steps. Even though the attack is partly made possible due to the design decision of treating cross-signing user identities as Matrix devices on the server side (with their device ID set to the public part of the user identity key), no other examined implementations were vulnerable. Starting with version 19.7.0, the matrix-js-sdk has been modified to double check that the key signed is the one that was verified instead of just referencing the key by ID. An additional check has been made to report an error when one of the device ID matches a cross-signing key. As this attack requires coordination between a malicious homeserver and an attacker, those who trust their homeservers do not need a particular workaround.", }, { lang: "es", value: "Matrix JavaScript SDK es el kit de desarrollo de software (SDK) cliente-servidor de Matrix para JavaScript. En versiones anteriores a 19.7.0, un atacante que cooperara con un servidor doméstico malicioso podría interferir con el flujo de verificación entre dos usuarios, inyectando su propia identidad de usuario de firma cruzada en lugar de la identidad de uno de los usuarios. Esto conllevaría a que el otro dispositivo confiara/verificara la identidad del usuario bajo el control del servidor doméstico en lugar de la prevista. La vulnerabilidad es un bug en el matrix-js-sdk, causado por la comprobación y firma de las identidades de los usuarios y los dispositivos en dos pasos separados, y la fijación inapropiada de las claves a firmar entre esos pasos. Aunque el ataque es posible en parte debido a la decisión de diseño de tratar las identidades de usuario de firma cruzada como dispositivos de Matrix en el lado del servidor (con su ID de dispositivo establecido en la parte pública de la clave de identidad del usuario), ninguna otra implementación examinada era vulnerable. A partir de la versión 19.7.0, el matrix-js-sdk ha sido modificado para comprobar dos veces que la clave firmada es la que ha sido verificada en lugar de hacer referencia a la clave por su ID. Ha sido realizada una comprobación adicional para informar de un error cuando uno de los ID del dispositivo coincide con una clave de firma cruzada. Como este ataque requiere la coordinación entre un servidor doméstico malicioso y un atacante, quienes confían en sus servidores domésticos no necesitan una mitigación particular", }, ], id: "CVE-2022-39250", lastModified: "2024-11-21T07:17:52.587", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 8.6, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 4, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-09-29T13:15:09.693", references: [ { source: "security-advisories@github.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76", }, { source: "security-advisories@github.com", tags: [ "Release Notes", "Third Party Advisory", ], url: "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.7.0", }, { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-5w8r-8pgj-5jmf", }, { source: "security-advisories@github.com", tags: [ "Vendor Advisory", ], url: "https://matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients", }, { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://security.gentoo.org/glsa/202210-35", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", "Third Party Advisory", ], url: "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.7.0", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-5w8r-8pgj-5jmf", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.gentoo.org/glsa/202210-35", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-287", }, { lang: "en", value: "CWE-322", }, ], source: "security-advisories@github.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-287", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-09-13 19:15
Modified
2024-11-21 06:24
Severity ?
Summary
A logic error in the room key sharing functionality of matrix-js-sdk (aka Matrix Javascript SDK) before 12.4.1 allows a malicious Matrix homeserver present in an encrypted room to steal room encryption keys (via crafted Matrix protocol messages) that were originally sent by affected Matrix clients participating in that room. This allows the homeserver to decrypt end-to-end encrypted messages sent by affected clients.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| matrix | javascript_sdk | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:matrix:javascript_sdk:*:*:*:*:*:*:*:*", matchCriteriaId: "698EDD62-CB34-43CB-8BEA-B39E37E3A847", versionEndExcluding: "12.4.1", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "A logic error in the room key sharing functionality of matrix-js-sdk (aka Matrix Javascript SDK) before 12.4.1 allows a malicious Matrix homeserver present in an encrypted room to steal room encryption keys (via crafted Matrix protocol messages) that were originally sent by affected Matrix clients participating in that room. This allows the homeserver to decrypt end-to-end encrypted messages sent by affected clients.", }, { lang: "es", value: "Un error lógico en la funcionalidad de compartición de claves de sala de matrix-js-sdk (también conocido como Matrix Javascript SDK) antes de la versión 12.4.1 permite que un servidor doméstico de Matrix malicioso presente en una sala cifrada robe las claves de cifrado de la sala (a través de mensajes de protocolo de Matrix manipulados) que fueron enviados originalmente por los clientes de Matrix afectados que participan en esa sala. Esto permite al servidor doméstico descifrar los mensajes cifrados de extremo a extremo enviados por los clientes afectados.e dispositivo", }, ], id: "CVE-2021-40823", lastModified: "2024-11-21T06:24:50.633", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:M/Au:N/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 2.2, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-09-13T19:15:19.137", references: [ { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v12.4.1", }, { source: "cve@mitre.org", tags: [ "Vendor Advisory", ], url: "https://matrix.org/blog/2021/09/13/vulnerability-disclosure-key-sharing", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v12.4.1", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://matrix.org/blog/2021/09/13/vulnerability-disclosure-key-sharing", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-290", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2024-08-20 15:15
Modified
2024-08-21 16:01
Severity ?
4.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:L
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Summary
matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. A malicious homeserver can craft a room or room structure such that the predecessors form a cycle. The matrix-js-sdk's getRoomUpgradeHistory function will infinitely recurse in this case, causing the code to hang. This method is public but also called by the 'leaveRoomChain()' method, so leaving a room will also trigger the bug. This was patched in matrix-js-sdk 34.3.1.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| matrix | javascript_sdk | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:matrix:javascript_sdk:*:*:*:*:*:*:*:*", matchCriteriaId: "C489179C-DCFC-4A63-B66D-7AD76CCD6663", versionEndExcluding: "34.3.1", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. A malicious homeserver can craft a room or room structure such that the predecessors form a cycle. The matrix-js-sdk's getRoomUpgradeHistory function will infinitely recurse in this case, causing the code to hang. This method is public but also called by the 'leaveRoomChain()' method, so leaving a room will also trigger the bug. This was patched in matrix-js-sdk 34.3.1.", }, { lang: "es", value: "Matrix-js-sdk es un SDK cliente-servidor del protocolo de mensajería Matrix para JavaScript. Un servidor doméstico malicioso puede crear una sala o una estructura de sala tal que los predecesores formen un ciclo. La función getRoomUpgradeHistory de Matrix-js-sdk se repetirá infinitamente en este caso, lo que provocará que el código se cuelgue. Este método es público pero también lo llama el método 'leaveRoomChain()', por lo que salir de una habitación también activará el error. Esto fue parcheado en Matrix-js-sdk 34.3.1.", }, ], id: "CVE-2024-42369", lastModified: "2024-08-21T16:01:03.147", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 4.1, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:L", version: "3.1", }, exploitabilityScore: 2.3, impactScore: 1.4, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 1.4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2024-08-20T15:15:21.540", references: [ { source: "security-advisories@github.com", tags: [ "Patch", ], url: "https://github.com/matrix-org/matrix-js-sdk/commit/a0efed8b881b3db6c9f2c71d6a6e74c2828978c6", }, { source: "security-advisories@github.com", tags: [ "Vendor Advisory", ], url: "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-vhr5-g3pm-49fm", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Analyzed", weaknesses: [ { description: [ { lang: "en", value: "CWE-674", }, ], source: "security-advisories@github.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-674", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-03-28 21:15
Modified
2024-11-21 07:12
Severity ?
8.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Summary
matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. In versions prior to 19.4.0 events sent with special strings in key places can temporarily disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer's ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer. This issue has been fixed in matrix-js-sdk 19.4.0 and users are advised to upgrade. Users unable to upgrade may mitigate this issue by redacting applicable events, waiting for the sync processor to store data, and restarting the client. Alternatively, redacting the applicable events and clearing all storage will often fix most perceived issues. In some cases, no workarounds are possible.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| matrix | javascript_sdk | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:matrix:javascript_sdk:*:*:*:*:*:node.js:*:*", matchCriteriaId: "2C8E8A52-35AD-4AAE-B1F7-D96008B30048", versionEndExcluding: "19.4.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. In versions prior to 19.4.0 events sent with special strings in key places can temporarily disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer's ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer. This issue has been fixed in matrix-js-sdk 19.4.0 and users are advised to upgrade. Users unable to upgrade may mitigate this issue by redacting applicable events, waiting for the sync processor to store data, and restarting the client. Alternatively, redacting the applicable events and clearing all storage will often fix most perceived issues. In some cases, no workarounds are possible.", }, ], id: "CVE-2022-36059", lastModified: "2024-11-21T07:12:17.397", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.2, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 4.2, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 1.4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-03-28T21:15:10.153", references: [ { source: "security-advisories@github.com", tags: [ "Vendor Advisory", ], url: "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-rfv9-x7hh-xc32", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-rfv9-x7hh-xc32", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-1321", }, ], source: "security-advisories@github.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-1321", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-09-28 20:15
Modified
2024-11-21 07:17
Severity ?
8.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Summary
Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. Prior to version 19.7.0, an attacker cooperating with a malicious homeserver can construct messages that legitimately appear to have come from another person, without any indication such as a grey shield. Additionally, a sophisticated attacker cooperating with a malicious homeserver could employ this vulnerability to perform a targeted attack in order to send fake to-device messages appearing to originate from another user. This can allow, for example, to inject the key backup secret during a self-verification, to make a targeted device start using a malicious key backup spoofed by the homeserver. These attacks are possible due to a protocol confusion vulnerability that accepts to-device messages encrypted with Megolm instead of Olm. Starting with version 19.7.0, matrix-js-sdk has been modified to only accept Olm-encrypted to-device messages. Out of caution, several other checks have been audited or added. This attack requires coordination between a malicious home server and an attacker, so those who trust their home servers do not need a workaround.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| matrix | javascript_sdk | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:matrix:javascript_sdk:*:*:*:*:*:node.js:*:*", matchCriteriaId: "4755C737-8BCE-49AF-8D23-CD3D36F9EDA7", versionEndExcluding: "19.7.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. Prior to version 19.7.0, an attacker cooperating with a malicious homeserver can construct messages that legitimately appear to have come from another person, without any indication such as a grey shield. Additionally, a sophisticated attacker cooperating with a malicious homeserver could employ this vulnerability to perform a targeted attack in order to send fake to-device messages appearing to originate from another user. This can allow, for example, to inject the key backup secret during a self-verification, to make a targeted device start using a malicious key backup spoofed by the homeserver. These attacks are possible due to a protocol confusion vulnerability that accepts to-device messages encrypted with Megolm instead of Olm. Starting with version 19.7.0, matrix-js-sdk has been modified to only accept Olm-encrypted to-device messages. Out of caution, several other checks have been audited or added. This attack requires coordination between a malicious home server and an attacker, so those who trust their home servers do not need a workaround.", }, { lang: "es", value: "Matrix Javascript SDK es el SDK cliente-servidor de Matrix para JavaScript. En versiones anteriores a 19.7.0, un atacante que coopere con un servidor doméstico malicioso puede construir mensajes que parezcan legítimamente proceder de otra persona, sin ninguna indicación como un escudo gris. Además, un atacante sofisticado que coopere con un servidor doméstico malicioso podría emplear esta vulnerabilidad para llevar a cabo un ataque dirigido con el fin de enviar mensajes falsos al dispositivo que parezcan proceder de otro usuario. Esto puede permitir, por ejemplo, inyectar el secreto de la copia de seguridad de la clave durante una autoverificación, para hacer que un dispositivo objetivo comience a usar una copia de seguridad de la clave maliciosa falsificada por el servidor doméstico. Estos ataques son posibles debido a una vulnerabilidad de confusión en el protocolo que acepta mensajes hacia el dispositivo cifrados con Megolm en lugar de Olm. A partir de la versión 19.7.0, matrix-js-sdk ha sido modificado para aceptar únicamente mensajes to-device cifrados con Olm. Por precaución, han sido auditadas o añadidas otras comprobaciones. Este ataque requiere la coordinación entre un servidor doméstico malicioso y un atacante, por lo que aquellos que confían en sus servidores domésticos no necesitan una mitigación", }, ], id: "CVE-2022-39251", lastModified: "2024-11-21T07:17:52.733", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 8.6, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 4, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-09-28T20:15:16.533", references: [ { source: "security-advisories@github.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76", }, { source: "security-advisories@github.com", tags: [ "Release Notes", "Third Party Advisory", ], url: "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.7.0", }, { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-r48r-j8fx-mq2c", }, { source: "security-advisories@github.com", tags: [ "Vendor Advisory", ], url: "https://matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients", }, { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://security.gentoo.org/glsa/202210-35", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", "Third Party Advisory", ], url: "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.7.0", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-r48r-j8fx-mq2c", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.gentoo.org/glsa/202210-35", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-287", }, { lang: "en", value: "CWE-322", }, ], source: "security-advisories@github.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-287", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
cve-2022-39251
Vulnerability from cvelistv5
Published
2022-09-28 00:00
Modified
2025-04-23 16:55
Severity ?
EPSS score ?
Summary
Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. Prior to version 19.7.0, an attacker cooperating with a malicious homeserver can construct messages that legitimately appear to have come from another person, without any indication such as a grey shield. Additionally, a sophisticated attacker cooperating with a malicious homeserver could employ this vulnerability to perform a targeted attack in order to send fake to-device messages appearing to originate from another user. This can allow, for example, to inject the key backup secret during a self-verification, to make a targeted device start using a malicious key backup spoofed by the homeserver. These attacks are possible due to a protocol confusion vulnerability that accepts to-device messages encrypted with Megolm instead of Olm. Starting with version 19.7.0, matrix-js-sdk has been modified to only accept Olm-encrypted to-device messages. Out of caution, several other checks have been audited or added. This attack requires coordination between a malicious home server and an attacker, so those who trust their home servers do not need a workaround.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| matrix-org | matrix-js-sdk |
Version: < 19.7.0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T12:00:43.351Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76", }, { tags: [ "x_transferred", ], url: "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.7.0", }, { tags: [ "x_transferred", ], url: "https://matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients", }, { tags: [ "x_transferred", ], url: "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-r48r-j8fx-mq2c", }, { name: "GLSA-202210-35", tags: [ "vendor-advisory", "x_transferred", ], url: "https://security.gentoo.org/glsa/202210-35", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2022-39251", options: [ { Exploitation: "none", }, { Automatable: "yes", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-04-23T15:51:00.530252Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-04-23T16:55:05.561Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "matrix-js-sdk", vendor: "matrix-org", versions: [ { status: "affected", version: "< 19.7.0", }, ], }, ], descriptions: [ { lang: "en", value: "Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. Prior to version 19.7.0, an attacker cooperating with a malicious homeserver can construct messages that legitimately appear to have come from another person, without any indication such as a grey shield. Additionally, a sophisticated attacker cooperating with a malicious homeserver could employ this vulnerability to perform a targeted attack in order to send fake to-device messages appearing to originate from another user. This can allow, for example, to inject the key backup secret during a self-verification, to make a targeted device start using a malicious key backup spoofed by the homeserver. These attacks are possible due to a protocol confusion vulnerability that accepts to-device messages encrypted with Megolm instead of Olm. Starting with version 19.7.0, matrix-js-sdk has been modified to only accept Olm-encrypted to-device messages. Out of caution, several other checks have been audited or added. This attack requires coordination between a malicious home server and an attacker, so those who trust their home servers do not need a workaround.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 8.6, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-322", description: "CWE-322: Key Exchange without Entity Authentication", lang: "en", type: "CWE", }, ], }, { descriptions: [ { cweId: "CWE-287", description: "CWE-287: Improper Authentication", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-10-31T00:00:00.000Z", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { url: "https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76", }, { url: "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.7.0", }, { url: "https://matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients", }, { url: "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-r48r-j8fx-mq2c", }, { name: "GLSA-202210-35", tags: [ "vendor-advisory", ], url: "https://security.gentoo.org/glsa/202210-35", }, ], source: { advisory: "GHSA-r48r-j8fx-mq2c", discovery: "UNKNOWN", }, title: "Matrix Javascript SDK vulnerable to Olm/Megolm protocol confusion", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2022-39251", datePublished: "2022-09-28T00:00:00.000Z", dateReserved: "2022-09-02T00:00:00.000Z", dateUpdated: "2025-04-23T16:55:05.561Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-36059
Vulnerability from cvelistv5
Published
2023-03-28 20:32
Modified
2025-02-18 20:05
Severity ?
EPSS score ?
Summary
matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. In versions prior to 19.4.0 events sent with special strings in key places can temporarily disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer's ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer. This issue has been fixed in matrix-js-sdk 19.4.0 and users are advised to upgrade. Users unable to upgrade may mitigate this issue by redacting applicable events, waiting for the sync processor to store data, and restarting the client. Alternatively, redacting the applicable events and clearing all storage will often fix most perceived issues. In some cases, no workarounds are possible.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-rfv9-x7hh-xc32 | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| matrix-org | matrix-js-sdk |
Version: < 19.4.0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T09:52:00.508Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-rfv9-x7hh-xc32", tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-rfv9-x7hh-xc32", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2022-36059", options: [ { Exploitation: "none", }, { Automatable: "yes", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-02-18T20:05:25.304259Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-02-18T20:05:37.448Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "matrix-js-sdk", vendor: "matrix-org", versions: [ { status: "affected", version: "< 19.4.0", }, ], }, ], descriptions: [ { lang: "en", value: "matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. In versions prior to 19.4.0 events sent with special strings in key places can temporarily disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer's ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer. This issue has been fixed in matrix-js-sdk 19.4.0 and users are advised to upgrade. Users unable to upgrade may mitigate this issue by redacting applicable events, waiting for the sync processor to store data, and restarting the client. Alternatively, redacting the applicable events and clearing all storage will often fix most perceived issues. In some cases, no workarounds are possible.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.2, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-1321", description: "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-03-28T20:32:18.422Z", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { name: "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-rfv9-x7hh-xc32", tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-rfv9-x7hh-xc32", }, ], source: { advisory: "GHSA-rfv9-x7hh-xc32", discovery: "UNKNOWN", }, title: "Prototype pollution in matrix-js-sdk", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2022-36059", datePublished: "2023-03-28T20:32:18.422Z", dateReserved: "2022-07-15T23:52:24.339Z", dateUpdated: "2025-02-18T20:05:37.448Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-42369
Vulnerability from cvelistv5
Published
2024-08-20 14:37
Modified
2024-09-03 17:06
Severity ?
EPSS score ?
Summary
matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. A malicious homeserver can craft a room or room structure such that the predecessors form a cycle. The matrix-js-sdk's getRoomUpgradeHistory function will infinitely recurse in this case, causing the code to hang. This method is public but also called by the 'leaveRoomChain()' method, so leaving a room will also trigger the bug. This was patched in matrix-js-sdk 34.3.1.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-vhr5-g3pm-49fm | x_refsource_CONFIRM | |
| https://github.com/matrix-org/matrix-js-sdk/commit/a0efed8b881b3db6c9f2c71d6a6e74c2828978c6 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| matrix-org | matrix-js-sdk |
Version: < 34.3.1 |
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-42369", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-08-21T14:41:11.504953Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-03T17:06:42.231Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "matrix-js-sdk", vendor: "matrix-org", versions: [ { status: "affected", version: "< 34.3.1", }, ], }, ], descriptions: [ { lang: "en", value: "matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. A malicious homeserver can craft a room or room structure such that the predecessors form a cycle. The matrix-js-sdk's getRoomUpgradeHistory function will infinitely recurse in this case, causing the code to hang. This method is public but also called by the 'leaveRoomChain()' method, so leaving a room will also trigger the bug. This was patched in matrix-js-sdk 34.3.1.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 4.1, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:L", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-674", description: "CWE-674: Uncontrolled Recursion", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-08-20T14:37:19.226Z", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { name: "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-vhr5-g3pm-49fm", tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-vhr5-g3pm-49fm", }, { name: "https://github.com/matrix-org/matrix-js-sdk/commit/a0efed8b881b3db6c9f2c71d6a6e74c2828978c6", tags: [ "x_refsource_MISC", ], url: "https://github.com/matrix-org/matrix-js-sdk/commit/a0efed8b881b3db6c9f2c71d6a6e74c2828978c6", }, ], source: { advisory: "GHSA-vhr5-g3pm-49fm", discovery: "UNKNOWN", }, title: "A room with itself as a its predecessor will freeze matrix-js-sdk", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2024-42369", datePublished: "2024-08-20T14:37:19.226Z", dateReserved: "2024-07-30T14:01:33.923Z", dateUpdated: "2024-09-03T17:06:42.231Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-28427
Vulnerability from cvelistv5
Published
2023-03-28 20:32
Modified
2025-02-18 20:03
Severity ?
EPSS score ?
Summary
matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. In versions prior to 24.0.0 events sent with special strings in key places can temporarily disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer's ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer. This vulnerability is distinct from GHSA-rfv9-x7hh-xc32 which covers a similar issue. The issue has been patched in matrix-js-sdk 24.0.0 and users are advised to upgrade. There are no known workarounds for this vulnerability.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| matrix-org | matrix-js-sdk |
Version: < 24.0.0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T12:38:25.414Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-mwq8-fjpf-c2gr", tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-mwq8-fjpf-c2gr", }, { name: "https://matrix.org/blog/2023/03/28/security-releases-matrix-js-sdk-24-0-0-and-matrix-react-sdk-3-69-0", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://matrix.org/blog/2023/03/28/security-releases-matrix-js-sdk-24-0-0-and-matrix-react-sdk-3-69-0", }, { tags: [ "x_transferred", ], url: "https://www.debian.org/security/2023/dsa-5392", }, { tags: [ "x_transferred", ], url: "https://lists.debian.org/debian-lts-announce/2023/04/msg00027.html", }, { tags: [ "x_transferred", ], url: "https://security.gentoo.org/glsa/202305-36", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-28427", options: [ { Exploitation: "none", }, { Automatable: "yes", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-02-18T20:03:37.180251Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-02-18T20:03:47.555Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "matrix-js-sdk", vendor: "matrix-org", versions: [ { status: "affected", version: "< 24.0.0", }, ], }, ], descriptions: [ { lang: "en", value: "matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. In versions prior to 24.0.0 events sent with special strings in key places can temporarily disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer's ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer. This vulnerability is distinct from GHSA-rfv9-x7hh-xc32 which covers a similar issue. The issue has been patched in matrix-js-sdk 24.0.0 and users are advised to upgrade. There are no known workarounds for this vulnerability.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.2, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-1321", description: "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-05-30T05:09:23.758Z", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { name: "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-mwq8-fjpf-c2gr", tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-mwq8-fjpf-c2gr", }, { name: "https://matrix.org/blog/2023/03/28/security-releases-matrix-js-sdk-24-0-0-and-matrix-react-sdk-3-69-0", tags: [ "x_refsource_MISC", ], url: "https://matrix.org/blog/2023/03/28/security-releases-matrix-js-sdk-24-0-0-and-matrix-react-sdk-3-69-0", }, { url: "https://www.debian.org/security/2023/dsa-5392", }, { url: "https://lists.debian.org/debian-lts-announce/2023/04/msg00027.html", }, { url: "https://security.gentoo.org/glsa/202305-36", }, ], source: { advisory: "GHSA-mwq8-fjpf-c2gr", discovery: "UNKNOWN", }, title: "Prototype pollution in matrix-js-sdk", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2023-28427", datePublished: "2023-03-28T20:32:22.116Z", dateReserved: "2023-03-15T15:59:10.050Z", dateUpdated: "2025-02-18T20:03:47.555Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-39236
Vulnerability from cvelistv5
Published
2022-09-28 00:00
Modified
2025-04-23 16:55
Severity ?
EPSS score ?
Summary
Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. Starting with version 17.1.0-rc.1, improperly formed beacon events can disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer's ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer. This is patched in matrix-js-sdk v19.7.0. Redacting applicable events, waiting for the sync processor to store data, and restarting the client are possible workarounds. Alternatively, redacting the applicable events and clearing all storage will fix the further perceived issues. Downgrading to an unaffected version, noting that such a version may be subject to other vulnerabilities, will additionally resolve the issue.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| matrix-org | matrix-js-sdk |
Version: >= 17.1.0-rc.1, < 19.7.0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T12:00:42.605Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-hvv8-5v86-r45x", }, { tags: [ "x_transferred", ], url: "https://github.com/matrix-org/matrix-spec-proposals/pull/3488", }, { tags: [ "x_transferred", ], url: "https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76", }, { tags: [ "x_transferred", ], url: "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.7.0", }, { name: "GLSA-202210-35", tags: [ "vendor-advisory", "x_transferred", ], url: "https://security.gentoo.org/glsa/202210-35", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2022-39236", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-04-23T13:57:05.169149Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-04-23T16:55:17.226Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "matrix-js-sdk", vendor: "matrix-org", versions: [ { status: "affected", version: ">= 17.1.0-rc.1, < 19.7.0", }, ], }, ], descriptions: [ { lang: "en", value: "Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. Starting with version 17.1.0-rc.1, improperly formed beacon events can disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer's ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer. This is patched in matrix-js-sdk v19.7.0. Redacting applicable events, waiting for the sync processor to store data, and restarting the client are possible workarounds. Alternatively, redacting the applicable events and clearing all storage will fix the further perceived issues. Downgrading to an unaffected version, noting that such a version may be subject to other vulnerabilities, will additionally resolve the issue.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-20", description: "CWE-20: Improper Input Validation", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-10-31T00:00:00.000Z", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { url: "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-hvv8-5v86-r45x", }, { url: "https://github.com/matrix-org/matrix-spec-proposals/pull/3488", }, { url: "https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76", }, { url: "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.7.0", }, { name: "GLSA-202210-35", tags: [ "vendor-advisory", ], url: "https://security.gentoo.org/glsa/202210-35", }, ], source: { advisory: "GHSA-hvv8-5v86-r45x", discovery: "UNKNOWN", }, title: "Matrix Javascript SDK improper beacon events can cause availability issues", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2022-39236", datePublished: "2022-09-28T00:00:00.000Z", dateReserved: "2022-09-02T00:00:00.000Z", dateUpdated: "2025-04-23T16:55:17.226Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-29529
Vulnerability from cvelistv5
Published
2023-04-14 18:21
Modified
2025-02-06 18:45
Severity ?
EPSS score ?
Summary
matrix-js-sdk is the Matrix Client-Server SDK for JavaScript and TypeScript. An attacker present in a room where an MSC3401 group call is taking place can eavesdrop on the video and audio of participants using matrix-js-sdk, without their knowledge. To affected matrix-js-sdk users, the attacker will not appear to be participating in the call. This attack is possible because matrix-js-sdk's group call implementation accepts incoming direct calls from other users, even if they have not yet declared intent to participate in the group call, as a means of resolving a race condition in call setup. Affected versions do not restrict access to the user's outbound media in this case. Legacy 1:1 calls are unaffected. This is fixed in matrix-js-sdk 24.1.0. As a workaround, users may hold group calls in private rooms where only the exact users who are expected to participate in the call are present.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-6g67-q39g-r79q | x_refsource_CONFIRM | |
| https://github.com/matrix-org/matrix-spec-proposals/pull/3401 | x_refsource_MISC | |
| https://github.com/matrix-org/matrix-js-sdk/releases/tag/v24.1.0 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| matrix-org | matrix-js-sdk |
Version: < 24.1.0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T14:14:38.965Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-6g67-q39g-r79q", tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-6g67-q39g-r79q", }, { name: "https://github.com/matrix-org/matrix-spec-proposals/pull/3401", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/matrix-org/matrix-spec-proposals/pull/3401", }, { name: "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v24.1.0", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v24.1.0", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-29529", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-02-06T18:45:25.233233Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-02-06T18:45:34.043Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "matrix-js-sdk", vendor: "matrix-org", versions: [ { status: "affected", version: "< 24.1.0", }, ], }, ], descriptions: [ { lang: "en", value: "matrix-js-sdk is the Matrix Client-Server SDK for JavaScript and TypeScript. An attacker present in a room where an MSC3401 group call is taking place can eavesdrop on the video and audio of participants using matrix-js-sdk, without their knowledge. To affected matrix-js-sdk users, the attacker will not appear to be participating in the call. This attack is possible because matrix-js-sdk's group call implementation accepts incoming direct calls from other users, even if they have not yet declared intent to participate in the group call, as a means of resolving a race condition in call setup. Affected versions do not restrict access to the user's outbound media in this case. Legacy 1:1 calls are unaffected. This is fixed in matrix-js-sdk 24.1.0. As a workaround, users may hold group calls in private rooms where only the exact users who are expected to participate in the call are present.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-862", description: "CWE-862: Missing Authorization", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-04-14T18:21:17.050Z", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { name: "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-6g67-q39g-r79q", tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-6g67-q39g-r79q", }, { name: "https://github.com/matrix-org/matrix-spec-proposals/pull/3401", tags: [ "x_refsource_MISC", ], url: "https://github.com/matrix-org/matrix-spec-proposals/pull/3401", }, { name: "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v24.1.0", tags: [ "x_refsource_MISC", ], url: "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v24.1.0", }, ], source: { advisory: "GHSA-6g67-q39g-r79q", discovery: "UNKNOWN", }, title: "matrix-js-sdk vulnerable to invisible eavesdropping in group calls", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2023-29529", datePublished: "2023-04-14T18:21:17.050Z", dateReserved: "2023-04-07T18:56:54.630Z", dateUpdated: "2025-02-06T18:45:34.043Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-39249
Vulnerability from cvelistv5
Published
2022-09-28 00:00
Modified
2025-04-23 16:55
Severity ?
EPSS score ?
Summary
Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. Prior to version 19.7.0, an attacker cooperating with a malicious homeserver can construct messages appearing to have come from another person. Such messages will be marked with a grey shield on some platforms, but this may be missing in others. This attack is possible due to the matrix-js-sdk implementing a too permissive key forwarding strategy on the receiving end. Starting with version 19.7.0, the default policy for accepting key forwards has been made more strict in the matrix-js-sdk. matrix-js-sdk will now only accept forwarded keys in response to previously issued requests and only from own, verified devices. The SDK now sets a `trusted` flag on the decrypted message upon decryption, based on whether the key used to decrypt the message was received from a trusted source. Clients need to ensure that messages decrypted with a key with `trusted = false` are decorated appropriately, for example, by showing a warning for such messages. This attack requires coordination between a malicious homeserver and an attacker, and those who trust your homeservers do not need a workaround.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| matrix-org | matrix-js-sdk |
Version: < 19.7.0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T12:00:43.417Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76", }, { tags: [ "x_transferred", ], url: "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.7.0", }, { tags: [ "x_transferred", ], url: "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-6263-x97c-c4gg", }, { tags: [ "x_transferred", ], url: "https://github.com/matrix-org/matrix-spec-proposals/pull/3061", }, { tags: [ "x_transferred", ], url: "https://matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients", }, { name: "GLSA-202210-35", tags: [ "vendor-advisory", "x_transferred", ], url: "https://security.gentoo.org/glsa/202210-35", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2022-39249", options: [ { Exploitation: "none", }, { Automatable: "yes", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-04-23T15:51:04.050488Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-04-23T16:55:11.362Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "matrix-js-sdk", vendor: "matrix-org", versions: [ { status: "affected", version: "< 19.7.0", }, ], }, ], descriptions: [ { lang: "en", value: "Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. Prior to version 19.7.0, an attacker cooperating with a malicious homeserver can construct messages appearing to have come from another person. Such messages will be marked with a grey shield on some platforms, but this may be missing in others. This attack is possible due to the matrix-js-sdk implementing a too permissive key forwarding strategy on the receiving end. Starting with version 19.7.0, the default policy for accepting key forwards has been made more strict in the matrix-js-sdk. matrix-js-sdk will now only accept forwarded keys in response to previously issued requests and only from own, verified devices. The SDK now sets a `trusted` flag on the decrypted message upon decryption, based on whether the key used to decrypt the message was received from a trusted source. Clients need to ensure that messages decrypted with a key with `trusted = false` are decorated appropriately, for example, by showing a warning for such messages. This attack requires coordination between a malicious homeserver and an attacker, and those who trust your homeservers do not need a workaround.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-322", description: "CWE-322: Key Exchange without Entity Authentication", lang: "en", type: "CWE", }, ], }, { descriptions: [ { cweId: "CWE-287", description: "CWE-287: Improper Authentication", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-10-31T00:00:00.000Z", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { url: "https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76", }, { url: "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.7.0", }, { url: "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-6263-x97c-c4gg", }, { url: "https://github.com/matrix-org/matrix-spec-proposals/pull/3061", }, { url: "https://matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients", }, { name: "GLSA-202210-35", tags: [ "vendor-advisory", ], url: "https://security.gentoo.org/glsa/202210-35", }, ], source: { advisory: "GHSA-6263-x97c-c4gg", discovery: "UNKNOWN", }, title: "Matrix Javascript SDK vulnerable to impersonation via forwarded Megolm sessions", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2022-39249", datePublished: "2022-09-28T00:00:00.000Z", dateReserved: "2022-09-02T00:00:00.000Z", dateUpdated: "2025-04-23T16:55:11.362Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-39250
Vulnerability from cvelistv5
Published
2022-09-29 00:00
Modified
2025-04-23 16:54
Severity ?
EPSS score ?
Summary
Matrix JavaScript SDK is the Matrix Client-Server software development kit (SDK) for JavaScript. Prior to version 19.7.0, an attacker cooperating with a malicious homeserver could interfere with the verification flow between two users, injecting its own cross-signing user identity in place of one of the users’ identities. This would lead to the other device trusting/verifying the user identity under the control of the homeserver instead of the intended one. The vulnerability is a bug in the matrix-js-sdk, caused by checking and signing user identities and devices in two separate steps, and inadequately fixing the keys to be signed between those steps. Even though the attack is partly made possible due to the design decision of treating cross-signing user identities as Matrix devices on the server side (with their device ID set to the public part of the user identity key), no other examined implementations were vulnerable. Starting with version 19.7.0, the matrix-js-sdk has been modified to double check that the key signed is the one that was verified instead of just referencing the key by ID. An additional check has been made to report an error when one of the device ID matches a cross-signing key. As this attack requires coordination between a malicious homeserver and an attacker, those who trust their homeservers do not need a particular workaround.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| matrix-org | matrix-js-sdk |
Version: < 19.7.0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T12:00:43.453Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76", }, { tags: [ "x_transferred", ], url: "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.7.0", }, { tags: [ "x_transferred", ], url: "https://matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients", }, { tags: [ "x_transferred", ], url: "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-5w8r-8pgj-5jmf", }, { name: "GLSA-202210-35", tags: [ "vendor-advisory", "x_transferred", ], url: "https://security.gentoo.org/glsa/202210-35", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2022-39250", options: [ { Exploitation: "none", }, { Automatable: "yes", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-04-23T15:50:35.378280Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-04-23T16:54:16.797Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "matrix-js-sdk", vendor: "matrix-org", versions: [ { status: "affected", version: "< 19.7.0", }, ], }, ], descriptions: [ { lang: "en", value: "Matrix JavaScript SDK is the Matrix Client-Server software development kit (SDK) for JavaScript. Prior to version 19.7.0, an attacker cooperating with a malicious homeserver could interfere with the verification flow between two users, injecting its own cross-signing user identity in place of one of the users’ identities. This would lead to the other device trusting/verifying the user identity under the control of the homeserver instead of the intended one. The vulnerability is a bug in the matrix-js-sdk, caused by checking and signing user identities and devices in two separate steps, and inadequately fixing the keys to be signed between those steps. Even though the attack is partly made possible due to the design decision of treating cross-signing user identities as Matrix devices on the server side (with their device ID set to the public part of the user identity key), no other examined implementations were vulnerable. Starting with version 19.7.0, the matrix-js-sdk has been modified to double check that the key signed is the one that was verified instead of just referencing the key by ID. An additional check has been made to report an error when one of the device ID matches a cross-signing key. As this attack requires coordination between a malicious homeserver and an attacker, those who trust their homeservers do not need a particular workaround.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 8.6, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-322", description: "CWE-322: Key Exchange without Entity Authentication", lang: "en", type: "CWE", }, ], }, { descriptions: [ { cweId: "CWE-287", description: "CWE-287: Improper Authentication", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-10-31T00:00:00.000Z", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { url: "https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76", }, { url: "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.7.0", }, { url: "https://matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients", }, { url: "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-5w8r-8pgj-5jmf", }, { name: "GLSA-202210-35", tags: [ "vendor-advisory", ], url: "https://security.gentoo.org/glsa/202210-35", }, ], source: { advisory: "GHSA-5w8r-8pgj-5jmf", discovery: "UNKNOWN", }, title: "Matrix JavaScript SDK vulnerable to key/device identifier confusion in SAS verification", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2022-39250", datePublished: "2022-09-29T00:00:00.000Z", dateReserved: "2022-09-02T00:00:00.000Z", dateUpdated: "2025-04-23T16:54:16.797Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-40823
Vulnerability from cvelistv5
Published
2021-09-13 18:45
Modified
2024-08-04 02:51
Severity ?
EPSS score ?
Summary
A logic error in the room key sharing functionality of matrix-js-sdk (aka Matrix Javascript SDK) before 12.4.1 allows a malicious Matrix homeserver present in an encrypted room to steal room encryption keys (via crafted Matrix protocol messages) that were originally sent by affected Matrix clients participating in that room. This allows the homeserver to decrypt end-to-end encrypted messages sent by affected clients.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/matrix-org/matrix-js-sdk/releases/tag/v12.4.1 | x_refsource_MISC | |
| https://matrix.org/blog/2021/09/13/vulnerability-disclosure-key-sharing | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T02:51:06.929Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v12.4.1", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://matrix.org/blog/2021/09/13/vulnerability-disclosure-key-sharing", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "A logic error in the room key sharing functionality of matrix-js-sdk (aka Matrix Javascript SDK) before 12.4.1 allows a malicious Matrix homeserver present in an encrypted room to steal room encryption keys (via crafted Matrix protocol messages) that were originally sent by affected Matrix clients participating in that room. This allows the homeserver to decrypt end-to-end encrypted messages sent by affected clients.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2021-09-14T11:50:31", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v12.4.1", }, { tags: [ "x_refsource_MISC", ], url: "https://matrix.org/blog/2021/09/13/vulnerability-disclosure-key-sharing", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2021-40823", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "A logic error in the room key sharing functionality of matrix-js-sdk (aka Matrix Javascript SDK) before 12.4.1 allows a malicious Matrix homeserver present in an encrypted room to steal room encryption keys (via crafted Matrix protocol messages) that were originally sent by affected Matrix clients participating in that room. This allows the homeserver to decrypt end-to-end encrypted messages sent by affected clients.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v12.4.1", refsource: "MISC", url: "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v12.4.1", }, { name: "https://matrix.org/blog/2021/09/13/vulnerability-disclosure-key-sharing", refsource: "MISC", url: "https://matrix.org/blog/2021/09/13/vulnerability-disclosure-key-sharing", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2021-40823", datePublished: "2021-09-13T18:45:50", dateReserved: "2021-09-09T00:00:00", dateUpdated: "2024-08-04T02:51:06.929Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-44538
Vulnerability from cvelistv5
Published
2021-12-14 13:26
Modified
2024-08-04 04:25
Severity ?
EPSS score ?
Summary
The olm_session_describe function in Matrix libolm before 3.2.7 is vulnerable to a buffer overflow. The Olm session object represents a cryptographic channel between two parties. Therefore, its state is partially controllable by the remote party of the channel. Attackers can construct a crafted sequence of messages to manipulate the state of the receiver's session in such a way that, for some buffer sizes, a buffer overflow happens on a call to olm_session_describe. Furthermore, safe buffer sizes were undocumented. The overflow content is partially controllable by the attacker and limited to ASCII spaces and digits. The known affected products are Element Web And SchildiChat Web.
References
| ▼ | URL | Tags |
|---|---|---|
| https://gitlab.matrix.org/matrix-org/olm/-/tags | x_refsource_MISC | |
| https://matrix.org/blog/2021/12/13/disclosure-buffer-overflow-in-libolm-and-matrix-js-sdk | x_refsource_MISC | |
| https://www.debian.org/security/2022/dsa-5034 | vendor-advisory, x_refsource_DEBIAN | |
| https://lists.debian.org/debian-lts-announce/2022/01/msg00001.html | mailing-list, x_refsource_MLIST |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T04:25:16.851Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://gitlab.matrix.org/matrix-org/olm/-/tags", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://matrix.org/blog/2021/12/13/disclosure-buffer-overflow-in-libolm-and-matrix-js-sdk", }, { name: "DSA-5034", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "https://www.debian.org/security/2022/dsa-5034", }, { name: "[debian-lts-announce] 20220104 [SECURITY] [DLA 2874-1] thunderbird security update", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.debian.org/debian-lts-announce/2022/01/msg00001.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "The olm_session_describe function in Matrix libolm before 3.2.7 is vulnerable to a buffer overflow. The Olm session object represents a cryptographic channel between two parties. Therefore, its state is partially controllable by the remote party of the channel. Attackers can construct a crafted sequence of messages to manipulate the state of the receiver's session in such a way that, for some buffer sizes, a buffer overflow happens on a call to olm_session_describe. Furthermore, safe buffer sizes were undocumented. The overflow content is partially controllable by the attacker and limited to ASCII spaces and digits. The known affected products are Element Web And SchildiChat Web.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2022-01-04T11:06:25", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://gitlab.matrix.org/matrix-org/olm/-/tags", }, { tags: [ "x_refsource_MISC", ], url: "https://matrix.org/blog/2021/12/13/disclosure-buffer-overflow-in-libolm-and-matrix-js-sdk", }, { name: "DSA-5034", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "https://www.debian.org/security/2022/dsa-5034", }, { name: "[debian-lts-announce] 20220104 [SECURITY] [DLA 2874-1] thunderbird security update", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.debian.org/debian-lts-announce/2022/01/msg00001.html", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2021-44538", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "The olm_session_describe function in Matrix libolm before 3.2.7 is vulnerable to a buffer overflow. The Olm session object represents a cryptographic channel between two parties. Therefore, its state is partially controllable by the remote party of the channel. Attackers can construct a crafted sequence of messages to manipulate the state of the receiver's session in such a way that, for some buffer sizes, a buffer overflow happens on a call to olm_session_describe. Furthermore, safe buffer sizes were undocumented. The overflow content is partially controllable by the attacker and limited to ASCII spaces and digits. The known affected products are Element Web And SchildiChat Web.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://gitlab.matrix.org/matrix-org/olm/-/tags", refsource: "MISC", url: "https://gitlab.matrix.org/matrix-org/olm/-/tags", }, { name: "https://matrix.org/blog/2021/12/13/disclosure-buffer-overflow-in-libolm-and-matrix-js-sdk", refsource: "MISC", url: "https://matrix.org/blog/2021/12/13/disclosure-buffer-overflow-in-libolm-and-matrix-js-sdk", }, { name: "DSA-5034", refsource: "DEBIAN", url: "https://www.debian.org/security/2022/dsa-5034", }, { name: "[debian-lts-announce] 20220104 [SECURITY] [DLA 2874-1] thunderbird security update", refsource: "MLIST", url: "https://lists.debian.org/debian-lts-announce/2022/01/msg00001.html", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2021-44538", datePublished: "2021-12-14T13:26:32", dateReserved: "2021-12-03T00:00:00", dateUpdated: "2024-08-04T04:25:16.851Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }