CVE-2022-36059

EUVD-2023-1097

28.03.2023, 21:15

matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. In versions prior to 19.4.0 events sent with special strings in key places can temporarily disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer's ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer. This issue has been fixed in matrix-js-sdk 19.4.0 and users are advised to upgrade. Users unable to upgrade may mitigate this issue by redacting applicable events, waiting for the sync processor to store data, and restarting the client. Alternatively, redacting the applicable events and clearing all storage will often fix most perceived issues. In some cases, no workarounds are possible.

Prototype Pollution

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	8.2 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
GitHub_M	CNA	8.2 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 78%

Affected Products (NVD)

Vendor	Product	Version
matrix	javascript_sdk	𝑥 < 19.4.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

node-matrix-js-sdk

bullseye	vulnerable
buster	not-affected

thunderbird

bookworm	1:115.12.0-1~deb12u1 fixed
bookworm (security)	1:115.16.0esr-1~deb12u1 fixed
bullseye	1:115.12.0-1~deb11u1 not-affected
bullseye (security)	1:128.4.0esr-1~deb11u1 fixed
buster	not-affected
sid	1:128.4.0esr-1 fixed
trixie	1:128.4.0esr-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

node-matrix-js-sdk

bionic	dne
focal	needs-triage
jammy	needs-triage
kinetic	ignored
lunar	ignored
mantic	ignored
noble	needs-triage
trusty	dne
xenial	dne

thunderbird

bionic	Fixed 1:102.2.2+build1-0ubuntu0.18.04.1 released
focal	Fixed 1:102.2.2+build1-0ubuntu0.20.04.1 released
jammy	Fixed 1:102.2.2+build1-0ubuntu0.22.04.1 released
kinetic	ignored
lunar	not-affected
mantic	not-affected
noble	not-affected
trusty	ignored
xenial	ignored

Common Weakness Enumeration

CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
The software receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

References

https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-rfv9-x7hh-xc32