CVE-2022-36059

28.03.2023, 21:15

matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. In versions prior to 19.4.0 events sent with special strings in key places can temporarily disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer's ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer. This issue has been fixed in matrix-js-sdk 19.4.0 and users are advised to upgrade. Users unable to upgrade may mitigate this issue by redacting applicable events, waiting for the sync processor to store data, and restarting the client. Alternatively, redacting the applicable events and clearing all storage will often fix most perceived issues. In some cases, no workarounds are possible.

Prototype Pollution

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	8.2 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
GitHub_M	CNA	8.2 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
CVE	ADP	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 74%

Vendor	Product	Version
matrix	javascript_sdk	𝑥 < 19.4.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

node-matrix-js-sdk

bullseye	vulnerable
buster	not-affected

thunderbird

bullseye	1:115.12.0-1~deb11u1 not-affected
buster	not-affected
bullseye (security)	1:128.4.0esr-1~deb11u1 fixed
bookworm	1:115.12.0-1~deb12u1 fixed
bookworm (security)	1:115.16.0esr-1~deb12u1 fixed
sid	1:128.4.0esr-1 fixed
trixie	1:128.4.0esr-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

node-matrix-js-sdk

noble	needs-triage
mantic	ignored
lunar	ignored
kinetic	ignored
jammy	needs-triage
focal	needs-triage
bionic	dne
xenial	dne
trusty	dne

thunderbird

noble	not-affected
mantic	not-affected
lunar	not-affected
kinetic	ignored
jammy	Fixed 1:102.2.2+build1-0ubuntu0.22.04.1 released
focal	Fixed 1:102.2.2+build1-0ubuntu0.20.04.1 released
bionic	Fixed 1:102.2.2+build1-0ubuntu0.18.04.1 released
xenial	ignored
trusty	ignored

Common Weakness Enumeration

CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
The software receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

References

https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-rfv9-x7hh-xc32