CVE-2023-28427

28.03.2023, 21:15

matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. In versions prior to 24.0.0 events sent with special strings in key places can temporarily disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer's ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer. This vulnerability is distinct from GHSA-rfv9-x7hh-xc32 which covers a similar issue. The issue has been patched in matrix-js-sdk 24.0.0 and users are advised to upgrade. There are no known workarounds for this vulnerability.

Prototype Pollution

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	8.2 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
GitHub_M	CNA	8.2 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
CVE	ADP	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 50%

Vendor	Product	Version
matrix	javascript_sdk	𝑥 < 24.0.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

node-matrix-js-sdk

bullseye	vulnerable
buster	no-dsa

thunderbird

bullseye	1:115.12.0-1~deb11u1 no-dsa
buster	no-dsa
bullseye (security)	1:128.5.0esr-1~deb11u1 fixed
bookworm	1:115.16.0esr-1~deb12u1 fixed
bookworm (security)	1:128.5.0esr-1~deb12u1 fixed
trixie	1:128.5.2esr-1 fixed
sid	1:128.5.2esr-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

node-matrix-js-sdk

oracular	needs-triage
noble	needs-triage
mantic	ignored
lunar	ignored
kinetic	ignored
jammy	needs-triage
focal	needs-triage
bionic	dne
xenial	ignored
trusty	ignored

Common Weakness Enumeration

CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
The software receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

References

https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-mwq8-fjpf-c2gr

https://lists.debian.org/debian-lts-announce/2023/04/msg00027.html

https://matrix.org/blog/2023/03/28/security-releases-matrix-js-sdk-24-0-0-and-matrix-react-sdk-3-69-0

https://security.gentoo.org/glsa/202305-36

https://www.debian.org/security/2023/dsa-5392

https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-mwq8-fjpf-c2gr

https://lists.debian.org/debian-lts-announce/2023/04/msg00027.html

https://matrix.org/blog/2023/03/28/security-releases-matrix-js-sdk-24-0-0-and-matrix-react-sdk-3-69-0

https://security.gentoo.org/glsa/202305-36

https://www.debian.org/security/2023/dsa-5392