FKIE_CVE-2022-39236

Vulnerability from fkie_nvd - Published: 2022-09-28 17:15 - Updated: 2024-11-21 07:17
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Summary
Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. Starting with version 17.1.0-rc.1, improperly formed beacon events can disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer's ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer. This is patched in matrix-js-sdk v19.7.0. Redacting applicable events, waiting for the sync processor to store data, and restarting the client are possible workarounds. Alternatively, redacting the applicable events and clearing all storage will fix the further perceived issues. Downgrading to an unaffected version, noting that such a version may be subject to other vulnerabilities, will additionally resolve the issue.
References
security-advisories@github.comhttps://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76Patch, Third Party Advisory
security-advisories@github.comhttps://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.7.0Release Notes, Third Party Advisory
security-advisories@github.comhttps://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-hvv8-5v86-r45xThird Party Advisory
security-advisories@github.comhttps://github.com/matrix-org/matrix-spec-proposals/pull/3488Patch, Third Party Advisory
security-advisories@github.comhttps://security.gentoo.org/glsa/202210-35Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.7.0Release Notes, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-hvv8-5v86-r45xThird Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/matrix-org/matrix-spec-proposals/pull/3488Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://security.gentoo.org/glsa/202210-35Third Party Advisory
Impacted products
Vendor Product Version
matrix javascript_sdk *
matrix javascript_sdk 17.1.0
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:matrix:javascript_sdk:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "68424611-6925-4DD4-B193-52CE6264CACB",
              "versionEndExcluding": "19.7.0",
              "versionStartIncluding": "17.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:matrix:javascript_sdk:17.1.0:rc1:*:*:*:node.js:*:*",
              "matchCriteriaId": "AEA15F9B-21FD-432C-B484-1AB439E5BE82",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. Starting with version 17.1.0-rc.1, improperly formed beacon events can disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer\u0027s ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer. This is patched in matrix-js-sdk v19.7.0. Redacting applicable events, waiting for the sync processor to store data, and restarting the client are possible workarounds. Alternatively, redacting the applicable events and clearing all storage will fix the further perceived issues. Downgrading to an unaffected version, noting that such a version may be subject to other vulnerabilities, will additionally resolve the issue."
    },
    {
      "lang": "es",
      "value": "Matrix Javascript SDK es el SDK cliente-servidor de Matrix para JavaScript. A partir de la versi\u00f3n 17.1.0-rc.1, los eventos de baliza formados inapropiadamente pueden interrumpir o impedir que matrix-js-sdk funcione apropiadamente, afectando potencialmente la capacidad del consumidor para procesar datos de forma segura. Obs\u00e9rvese que matrix-js-sdk puede parecer que funciona normalmente pero estar excluyendo o corrompiendo los datos en tiempo de ejecuci\u00f3n presentados al consumidor. Esto est\u00e1 parcheado en matrix-js-sdk v19.7.0. Redactar los eventos aplicables, esperar a que el procesador de sincronizaci\u00f3n almacene los datos y reiniciar el cliente son posibles mitigaciones. Alternativamente, redactar los eventos aplicables y borrar todo el almacenamiento corregir\u00e1 los problemas percibidos. La actualizaci\u00f3n a una versi\u00f3n no afectada, teniendo en cuenta que dicha versi\u00f3n puede estar sujeta a otras vulnerabilidades, tambi\u00e9n resolver\u00e1 el problema"
    }
  ],
  "id": "CVE-2022-39236",
  "lastModified": "2024-11-21T07:17:50.800",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 4.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 1.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-09-28T17:15:11.133",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.7.0"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-hvv8-5v86-r45x"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/matrix-org/matrix-spec-proposals/pull/3488"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.gentoo.org/glsa/202210-35"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.7.0"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-hvv8-5v86-r45x"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/matrix-org/matrix-spec-proposals/pull/3488"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.gentoo.org/glsa/202210-35"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-20"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.