CVSS: 3.5EPSS: 0%CPEs: 3EXPL: 0CVE-2021-39164 – Improper authorisation of /members discloses room membership to non-members
https://notcve.org/view.php?id=CVE-2021-39164
Matrix is an ecosystem for open federated Instant Messaging and Voice over IP. In versions 1.41.0 and prior, unauthorised users can access the membership (list of members, with their display names) of a room if they know the ID of the room. The vulnerability is limited to rooms with `shared` history visibility. Furthermore, the unauthorised user must be using an account on a vulnerable homeserver that is in the room. Server administrators should upgrade to 1.41.1 or later in order to receive the patch. • https://github.com/matrix-org/synapse/commit/cb35df940a https://github.com/matrix-org/synapse/releases/tag/v1.41.1 https://github.com/matrix-org/synapse/security/advisories/GHSA-3x4c-pq33-4w3q https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2VHDEPCZ22GJFMZCWA2XZAGPOEV72POF https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PXT7ID7DNBRN2TVTETU3SYQHJKEG6PXN • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-863: Incorrect Authorization •
CVSS: 3.5EPSS: 0%CPEs: 3EXPL: 0CVE-2021-39163 – Adding a private/unlisted room to a community exposes room metadata in an unauthorised manner.
https://notcve.org/view.php?id=CVE-2021-39163
Matrix is an ecosystem for open federated Instant Messaging and Voice over IP. In versions 1.41.0 and prior, unauthorised users can access the name, avatar, topic and number of members of a room if they know the ID of the room. This vulnerability is limited to homeservers where the vulnerable homeserver is in the room and untrusted users are permitted to create groups (communities). By default, only homeserver administrators can create groups. However, homeserver administrators can already access this information in the database or using the admin API. • https://github.com/matrix-org/synapse/commit/cb35df940a https://github.com/matrix-org/synapse/releases/tag/v1.41.1 https://github.com/matrix-org/synapse/security/advisories/GHSA-jj53-8fmw-f2w2 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2VHDEPCZ22GJFMZCWA2XZAGPOEV72POF https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PXT7ID7DNBRN2TVTETU3SYQHJKEG6PXN • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-863: Incorrect Authorization •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-32659 – Automatic room upgrade handling can be used maliciously to bridge a room non-consentually
https://notcve.org/view.php?id=CVE-2021-32659
Matrix-appservice-bridge is the bridging service for the Matrix communication program's application services. In versions 2.6.0 and earlier, if a bridge has room upgrade handling turned on in the configuration (the `roomUpgradeOpts` key when instantiating a new `Bridge` instance.), any `m.room.tombstone` event it encounters will be used to unbridge the current room and bridge into the target room. However, the target room `m.room.create` event is not checked to verify if the `predecessor` field contains the previous room. This means that any malicious admin of a bridged room can repoint the traffic to a different room without the new room being aware. Versions 2.6.1 and greater are patched. • https://github.com/matrix-org/matrix-appservice-bridge/commit/b69e745584a34fcfd858df33e4631e420da07b9f https://github.com/matrix-org/matrix-appservice-bridge/releases/tag/2.6.1 https://github.com/matrix-org/matrix-appservice-bridge/security/advisories/GHSA-35g4-qx3c-vjhx • CWE-306: Missing Authentication for Critical Function •
CVSS: 9.8EPSS: 2%CPEs: 1EXPL: 1CVE-2021-34813
https://notcve.org/view.php?id=CVE-2021-34813
Matrix libolm before 3.2.3 allows a malicious Matrix homeserver to crash a client (while it is attempting to retrieve an Olm encrypted room key backup from the homeserver) because olm_pk_decrypt has a stack-based buffer overflow. Remote code execution might be possible for some nonstandard build configurations. Matrix libolm versiones anteriores a 3.2.3 permite a un homeserver de Matrix malicioso bloquear a un cliente (mientras intenta recuperar una copia de seguridad de la clave de la sala cifrada por Olm desde el homeserver) porque la función olm_pk_decrypt presenta un desbordamiento de búfer en la región stack de la memoria. Una ejecución de código remota podría ser posible para algunas configuraciones de construcción no estándar • https://gitlab.matrix.org/matrix-org/olm/-/commit/ccc0d122ee1b4d5e5ca4ec1432086be17d5f901b https://gitlab.matrix.org/matrix-org/olm/-/releases/3.2.3 https://matrix.org/blog/2021/06/14/adventures-in-fuzzing-libolm • CWE-787: Out-of-bounds Write •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-32622 – File upload local preview can run embedded scripts after user interaction
https://notcve.org/view.php?id=CVE-2021-32622
Matrix-React-SDK is a react-based SDK for inserting a Matrix chat/voip client into a web page. Before version 3.21.0, when uploading a file, the local file preview can lead to execution of scripts embedded in the uploaded file. This can only occur after several user interactions to open the preview in a separate tab. This only impacts the local user while in the process of uploading. It cannot be exploited remotely or by other users. • https://github.com/matrix-org/matrix-react-sdk/pull/5981 https://github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-8796-gc9j-63rv • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-434: Unrestricted Upload of File with Dangerous Type •