CVE-2024-52505 – matrix-appservice-irc allows IRC Command injection in provisioning API
https://notcve.org/view.php?id=CVE-2024-52505
matrix-appservice-irc is a Node.js IRC bridge for the Matrix messaging protocol. The provisioning API of the matrix-appservice-irc bridge up to version 3.0.2 contains a vulnerability which can lead to arbitrary IRC command execution as the bridge IRC bot. The vulnerability has been patched in matrix-appservice-irc version 3.0.3. • https://github.com/matrix-org/matrix-appservice-irc/commit/4a024eae1a992b1ea67e71a998e0b833b54221e2 https://github.com/matrix-org/matrix-appservice-irc/security/advisories/GHSA-c3hj-hg7p-rrq5 • CWE-147: Improper Neutralization of Input Terminators •
CVE-2024-50336 – matrix-js-sdk has insufficient MXC URI validation which allows client-side path traversal
https://notcve.org/view.php?id=CVE-2024-50336
matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. matrix-js-sdk before 34.11.0 is vulnerable to client-side path traversal via crafted MXC URIs. A malicious room member can trigger clients based on the matrix-js-sdk to issue arbitrary authenticated GET requests to the client's homeserver. Fixed in matrix-js-sdk 34.11.1. • https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-xvg8-m4x3-w6xr https://spec.matrix.org/v1.12/client-server-api/#security-considerations-5 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2024-47824 – Malicious homeservers can steal message keys when the matrix-react-sdk user invites another user to a room
https://notcve.org/view.php?id=CVE-2024-47824
matrix-react-sdk is react-based software development kit for inserting a Matrix chat/VOIP client into a web page. Starting in version 3.18.0 and before 3.102.0, matrix-react-sdk allows a malicious homeserver to potentially steal message keys for a room when a user invites another user to that room, via injection of a malicious device controlled by the homeserver. This is possible because matrix-react-sdk before 3.102.0 shared historical message keys on invite. Version 3.102.0 fixes this issue by disabling sharing message keys on invite by removing calls to the vulnerable functionality. No known workarounds are available. • https://github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-qcvh-p9jq-wp8v https://github.com/matrix-org/matrix-react-sdk/pull/12618 https://github.com/matrix-org/matrix-react-sdk/commit/6fc9d7641c51ca3db8225cf58b9d6e6fdd2d6556 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2024-47080 – matrix-js-sdk keys sent via `sendSharedHistoryKeys` vulnerable to interception by malicious homeserver
https://notcve.org/view.php?id=CVE-2024-47080
matrix-js-sdk is the Matrix Client-Server SDK for JavaScript and TypeScript. In matrix-js-sdk versions versions 9.11.0 through 34.7.0, the method `MatrixClient.sendSharedHistoryKeys` is vulnerable to interception by malicious homeservers. The method was introduced by MSC3061) and is commonly used to share historical message keys with newly invited users, granting them access to past messages in the room. However, it unconditionally sends these "shared" keys to all of the invited user's devices, regardless of whether the user's cryptographic identity is verified or whether the user's devices are signed by that identity. This allows the attacker to potentially inject its own devices to receive sensitive historical keys without proper security checks. • https://github.com/matrix-org/matrix-js-sdk/commit/2fb1e659c81f75253c047832dc9dcc2beddfac5f https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-4jf8-g8wp-cx7c https://github.com/matrix-org/matrix-spec-proposals/pull/3061 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-287: Improper Authentication •
CVE-2024-42369 – A room with itself as a its predecessor will freeze matrix-js-sdk
https://notcve.org/view.php?id=CVE-2024-42369
matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. A malicious homeserver can craft a room or room structure such that the predecessors form a cycle. The matrix-js-sdk's getRoomUpgradeHistory function will infinitely recurse in this case, causing the code to hang. This method is public but also called by the 'leaveRoomChain()' method, so leaving a room will also trigger the bug. This was patched in matrix-js-sdk 34.3.1. • https://github.com/matrix-org/matrix-js-sdk/commit/a0efed8b881b3db6c9f2c71d6a6e74c2828978c6 https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-vhr5-g3pm-49fm • CWE-674: Uncontrolled Recursion •