CVE-2024-50336

EUVD-2024-3335
matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. matrix-js-sdk before 34.11.0 is vulnerable to client-side path traversal via crafted MXC URIs. A malicious room member can trigger clients based on the matrix-js-sdk to issue arbitrary authenticated GET requests to the client's homeserver. Fixed in matrix-js-sdk 34.11.1.
Path Traversal
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
UNKNOWN
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 75%
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
node-matrix-js-sdk
focal
needs-triage
jammy
needs-triage
noble
needs-triage
oracular
ignored
plucky
dne
questing
dne
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
MozillaThunderbird
suse enterprise desktop 15 SP5
128.5.2-150200.8.194.1
fixed
suse enterprise desktop 15 SP6
128.5.2-150200.8.194.1
fixed
suse enterprise desktop 15 SP7
128.5.2-150200.8.194.1
fixed
suse enterprise sap 15 SP5
128.5.2-150200.8.194.1
fixed
suse enterprise sap 15 SP6
128.5.2-150200.8.194.1
fixed
suse enterprise sap 15 SP7
128.5.2-150200.8.194.1
fixed
suse enterprise server 15 SP5
128.5.2-150200.8.194.1
fixed
suse enterprise server 15 SP6
128.5.2-150200.8.194.1
fixed
suse enterprise server 15 SP7
128.5.2-150200.8.194.1
fixed
suse enterprise workstation 15 SP5
128.5.2-150200.8.194.1
fixed
suse enterprise workstation 15 SP6
128.5.2-150200.8.194.1
fixed
suse enterprise workstation 15 SP7
128.5.2-150200.8.194.1
fixed
MozillaThunderbird-translations-common
suse enterprise desktop 15 SP5
128.5.2-150200.8.194.1
fixed
suse enterprise desktop 15 SP6
128.5.2-150200.8.194.1
fixed
suse enterprise desktop 15 SP7
128.5.2-150200.8.194.1
fixed
suse enterprise sap 15 SP5
128.5.2-150200.8.194.1
fixed
suse enterprise sap 15 SP6
128.5.2-150200.8.194.1
fixed
suse enterprise sap 15 SP7
128.5.2-150200.8.194.1
fixed
suse enterprise server 15 SP5
128.5.2-150200.8.194.1
fixed
suse enterprise server 15 SP6
128.5.2-150200.8.194.1
fixed
suse enterprise server 15 SP7
128.5.2-150200.8.194.1
fixed
suse enterprise workstation 15 SP5
128.5.2-150200.8.194.1
fixed
suse enterprise workstation 15 SP6
128.5.2-150200.8.194.1
fixed
suse enterprise workstation 15 SP7
128.5.2-150200.8.194.1
fixed
MozillaThunderbird-translations-other
suse enterprise desktop 15 SP5
128.5.2-150200.8.194.1
fixed
suse enterprise desktop 15 SP6
128.5.2-150200.8.194.1
fixed
suse enterprise desktop 15 SP7
128.5.2-150200.8.194.1
fixed
suse enterprise sap 15 SP5
128.5.2-150200.8.194.1
fixed
suse enterprise sap 15 SP6
128.5.2-150200.8.194.1
fixed
suse enterprise sap 15 SP7
128.5.2-150200.8.194.1
fixed
suse enterprise server 15 SP5
128.5.2-150200.8.194.1
fixed
suse enterprise server 15 SP6
128.5.2-150200.8.194.1
fixed
suse enterprise server 15 SP7
128.5.2-150200.8.194.1
fixed
suse enterprise workstation 15 SP5
128.5.2-150200.8.194.1
fixed
suse enterprise workstation 15 SP6
128.5.2-150200.8.194.1
fixed
suse enterprise workstation 15 SP7
128.5.2-150200.8.194.1
fixed
Common Weakness Enumeration
References
https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-xvg8-m4x3-w6xr
https://spec.matrix.org/v1.12/client-server-api/#security-considerations-5
https://lists.debian.org/debian-lts-announce/2025/01/msg00004.html