CVE-2023-28427

EUVD-2023-1061

28.03.2023, 21:15

matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. In versions prior to 24.0.0 events sent with special strings in key places can temporarily disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer's ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer. This vulnerability is distinct from GHSA-rfv9-x7hh-xc32 which covers a similar issue. The issue has been patched in matrix-js-sdk 24.0.0 and users are advised to upgrade. There are no known workarounds for this vulnerability.

Prototype Pollution

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	8.2 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
GitHub_M	CNA	8.2 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 57%

Affected Products (NVD)

Vendor	Product	Version
matrix	javascript_sdk	𝑥 < 24.0.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

node-matrix-js-sdk

bullseye	vulnerable
buster	no-dsa

thunderbird

bookworm	1:115.16.0esr-1~deb12u1 fixed
bookworm (security)	1:128.5.0esr-1~deb12u1 fixed
bullseye	1:115.12.0-1~deb11u1 no-dsa
bullseye (security)	1:128.5.0esr-1~deb11u1 fixed
buster	no-dsa
sid	1:128.5.2esr-1 fixed
trixie	1:128.5.2esr-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

node-matrix-js-sdk

bionic	dne
focal	needs-triage
jammy	needs-triage
kinetic	ignored
lunar	ignored
mantic	ignored
noble	needs-triage
oracular	needs-triage
trusty	ignored
xenial	ignored

Common Weakness Enumeration

CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
The software receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

References

https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-mwq8-fjpf-c2gr

https://lists.debian.org/debian-lts-announce/2023/04/msg00027.html

https://matrix.org/blog/2023/03/28/security-releases-matrix-js-sdk-24-0-0-and-matrix-react-sdk-3-69-0

https://security.gentoo.org/glsa/202305-36

https://www.debian.org/security/2023/dsa-5392

https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-mwq8-fjpf-c2gr

https://lists.debian.org/debian-lts-announce/2023/04/msg00027.html

https://matrix.org/blog/2023/03/28/security-releases-matrix-js-sdk-24-0-0-and-matrix-react-sdk-3-69-0

https://security.gentoo.org/glsa/202305-36

https://www.debian.org/security/2023/dsa-5392