ghsa-qcvh-p9jq-wp8v
Vulnerability from github
8.7 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Impact
matrix-react-sdk before 3.102.0 allows a malicious homeserver to potentially steal message keys for a room when a user invites another user to that room, via injection of a malicious device controlled by the homeserver. This is possible because matrix-react-sdk before 3.102.0 shared historical message keys on invite.
Patches
matrix-react-sdk 3.102.0 disables sharing message keys on invite by removing calls to the vulnerable functionality.
Workarounds
None.
References
The vulnerability in matrix-react-sdk is caused by calling MatrixClient.sendSharedHistoryKeys in matrix-js-sdk, which is inherently vulnerable to this sort of attack. This matrix-js-sdk vulnerability is tracked as CVE-2024-47080 / GHSA-4jf8-g8wp-cx7c. Given that this functionality is not specific to sharing message keys on invite, is optional, has to be explicitly called by the caller and has been independently patched in matrix-react-sdk by removing the offending calls, we believe it is proper to treat the matrix-react-sdk vulnerability as a separate one, with its own advisory and CVE.
The matrix-org/matrix-react-sdk repository has recently been archived and the project was moved to element-hq/matrix-react-sdk. Given that this happened after the first patched release, no releases of the project on element-hq/matrix-react-sdk were ever vulnerable to this vulnerability.
Patching pull request: https://github.com/matrix-org/matrix-react-sdk/pull/12618.
For more information
If you have any questions or comments about this advisory, please email us at security at security at matrix.org.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "matrix-react-sdk"
},
"ranges": [
{
"events": [
{
"introduced": "3.18.0"
},
{
"fixed": "3.102.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-47824"
],
"database_specific": {
"cwe_ids": [
"CWE-200"
],
"github_reviewed": true,
"github_reviewed_at": "2024-10-15T18:11:51Z",
"nvd_published_at": "2024-10-15T16:15:05Z",
"severity": "HIGH"
},
"details": "### Impact\n\nmatrix-react-sdk before 3.102.0 allows a malicious homeserver to potentially steal message keys for a room when a user invites another user to that room, via injection of a malicious device controlled by the homeserver. This is possible because matrix-react-sdk before 3.102.0 shared historical message keys on invite.\n\n### Patches\n\nmatrix-react-sdk 3.102.0 [disables sharing message keys on invite](https://github.com/matrix-org/matrix-react-sdk/pull/12618) by removing calls to the vulnerable functionality.\n\n### Workarounds\n\nNone.\n\n### References\n\nThe vulnerability in matrix-react-sdk is caused by calling `MatrixClient.sendSharedHistoryKeys` in matrix-js-sdk, which is inherently vulnerable to this sort of attack. This matrix-js-sdk vulnerability is tracked as CVE-2024-47080 / [GHSA-4jf8-g8wp-cx7c](https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-4jf8-g8wp-cx7c). Given that this functionality is not specific to sharing message keys on *invite*, is optional, has to be explicitly called by the caller and has been independently patched in matrix-react-sdk by removing the offending calls, we believe it is proper to treat the matrix-react-sdk vulnerability as a separate one, with its own advisory and CVE.\n\nThe matrix-org/matrix-react-sdk repository has recently been archived and the project was moved to [element-hq/matrix-react-sdk](https://github.com/element-hq/matrix-react-sdk). Given that this happened *after* the first patched release, no releases of the project on [element-hq/matrix-react-sdk](https://github.com/element-hq/matrix-react-sdk) were ever vulnerable to this vulnerability.\n\nPatching pull request: https://github.com/matrix-org/matrix-react-sdk/pull/12618.\n\n### For more information\n\nIf you have any questions or comments about this advisory, please email us at security at [security at matrix.org](mailto:security@matrix.org).\n",
"id": "GHSA-qcvh-p9jq-wp8v",
"modified": "2024-10-15T19:56:05Z",
"published": "2024-10-15T18:11:51Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-qcvh-p9jq-wp8v"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47824"
},
{
"type": "WEB",
"url": "https://github.com/matrix-org/matrix-react-sdk/pull/12618"
},
{
"type": "WEB",
"url": "https://github.com/matrix-org/matrix-react-sdk/commit/6fc9d7641c51ca3db8225cf58b9d6e6fdd2d6556"
},
{
"type": "PACKAGE",
"url": "https://github.com/matrix-org/matrix-react-sdk"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Malicious homeservers can steal message keys when the matrix-react-sdk user invites another user to a room"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.