Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
2 vulnerabilities found for matrix-react-sdk by matrix
CVE-2024-42347 (GCVE-0-2024-42347)
Vulnerability from cvelistv5 – Published: 2024-08-06 17:16 – Updated: 2024-08-08 18:48
VLAI
Title
URL preview setting for a room is controllable by the homeserver in matrix-react-sdk
Summary
matrix-react-sdk is a react-based SDK for inserting a Matrix chat/voip client into a web page. A malicious homeserver could manipulate a user's account data to cause the client to enable URL previews in end-to-end encrypted rooms, in which case any URLs in encrypted messages would be sent to the server. This was patched in matrix-react-sdk 3.105.0. Deployments that trust their homeservers, as well as closed federations of trusted servers, are not affected. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity
7.7 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-359 - Exposure of Private Personal Information to an Unauthorized Actor
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/matrix-org/matrix-react-sdk/se… | x_refsource_CONFIRM |
| https://github.com/matrix-org/matrix-react-sdk/re… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| matrix-org | matrix-react-sdk |
Affected:
< 3.105.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-42347",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-08T18:48:06.721647Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-08T18:48:19.919Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "matrix-react-sdk",
"vendor": "matrix-org",
"versions": [
{
"status": "affected",
"version": "\u003c 3.105.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "matrix-react-sdk is a react-based SDK for inserting a Matrix chat/voip client into a web page. A malicious homeserver could manipulate a user\u0027s account data to cause the client to enable URL previews in end-to-end encrypted rooms, in which case any URLs in encrypted messages would be sent to the server. This was patched in matrix-react-sdk 3.105.0. Deployments that trust their homeservers, as well as closed federations of trusted servers, are not affected. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-359",
"description": "CWE-359: Exposure of Private Personal Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-06T17:16:14.143Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-f83w-wqhc-cfp4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-f83w-wqhc-cfp4"
},
{
"name": "https://github.com/matrix-org/matrix-react-sdk/releases/tag/v3.105.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/matrix-org/matrix-react-sdk/releases/tag/v3.105.1"
}
],
"source": {
"advisory": "GHSA-f83w-wqhc-cfp4",
"discovery": "UNKNOWN"
},
"title": "URL preview setting for a room is controllable by the homeserver in matrix-react-sdk"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-42347",
"datePublished": "2024-08-06T17:16:14.143Z",
"dateReserved": "2024-07-30T14:01:33.921Z",
"dateUpdated": "2024-08-08T18:48:19.919Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-42347 (GCVE-0-2024-42347)
Vulnerability from nvd – Published: 2024-08-06 17:16 – Updated: 2024-08-08 18:48
VLAI
Title
URL preview setting for a room is controllable by the homeserver in matrix-react-sdk
Summary
matrix-react-sdk is a react-based SDK for inserting a Matrix chat/voip client into a web page. A malicious homeserver could manipulate a user's account data to cause the client to enable URL previews in end-to-end encrypted rooms, in which case any URLs in encrypted messages would be sent to the server. This was patched in matrix-react-sdk 3.105.0. Deployments that trust their homeservers, as well as closed federations of trusted servers, are not affected. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity
7.7 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-359 - Exposure of Private Personal Information to an Unauthorized Actor
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/matrix-org/matrix-react-sdk/se… | x_refsource_CONFIRM |
| https://github.com/matrix-org/matrix-react-sdk/re… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| matrix-org | matrix-react-sdk |
Affected:
< 3.105.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-42347",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-08T18:48:06.721647Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-08T18:48:19.919Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "matrix-react-sdk",
"vendor": "matrix-org",
"versions": [
{
"status": "affected",
"version": "\u003c 3.105.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "matrix-react-sdk is a react-based SDK for inserting a Matrix chat/voip client into a web page. A malicious homeserver could manipulate a user\u0027s account data to cause the client to enable URL previews in end-to-end encrypted rooms, in which case any URLs in encrypted messages would be sent to the server. This was patched in matrix-react-sdk 3.105.0. Deployments that trust their homeservers, as well as closed federations of trusted servers, are not affected. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-359",
"description": "CWE-359: Exposure of Private Personal Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-06T17:16:14.143Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-f83w-wqhc-cfp4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-f83w-wqhc-cfp4"
},
{
"name": "https://github.com/matrix-org/matrix-react-sdk/releases/tag/v3.105.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/matrix-org/matrix-react-sdk/releases/tag/v3.105.1"
}
],
"source": {
"advisory": "GHSA-f83w-wqhc-cfp4",
"discovery": "UNKNOWN"
},
"title": "URL preview setting for a room is controllable by the homeserver in matrix-react-sdk"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-42347",
"datePublished": "2024-08-06T17:16:14.143Z",
"dateReserved": "2024-07-30T14:01:33.921Z",
"dateUpdated": "2024-08-08T18:48:19.919Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}