CVE-2022-39236
Matrix Javascript SDK improper beacon events can cause availability issues
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. Starting with version 17.1.0-rc.1, improperly formed beacon events can disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer's ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer. This is patched in matrix-js-sdk v19.7.0. Redacting applicable events, waiting for the sync processor to store data, and restarting the client are possible workarounds. Alternatively, redacting the applicable events and clearing all storage will fix the further perceived issues. Downgrading to an unaffected version, noting that such a version may be subject to other vulnerabilities, will additionally resolve the issue.
Matrix Javascript SDK es el SDK cliente-servidor de Matrix para JavaScript. A partir de la versión 17.1.0-rc.1, los eventos de baliza formados inapropiadamente pueden interrumpir o impedir que matrix-js-sdk funcione apropiadamente, afectando potencialmente la capacidad del consumidor para procesar datos de forma segura. Obsérvese que matrix-js-sdk puede parecer que funciona normalmente pero estar excluyendo o corrompiendo los datos en tiempo de ejecución presentados al consumidor. Esto está parcheado en matrix-js-sdk v19.7.0. Redactar los eventos aplicables, esperar a que el procesador de sincronización almacene los datos y reiniciar el cliente son posibles mitigaciones. Alternativamente, redactar los eventos aplicables y borrar todo el almacenamiento corregirá los problemas percibidos. La actualización a una versión no afectada, teniendo en cuenta que dicha versión puede estar sujeta a otras vulnerabilidades, también resolverá el problema
A flaw was found in Mozilla. According to the Mozilla Foundation Security Advisory, Thunderbird users who use the Matrix chat protocol are vulnerable to a data corruption issue. An attacker could potentially cause data integrity issues by sending specially crafted messages.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-09-02 CVE Reserved
- 2022-09-28 CVE Published
- 2024-04-20 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-20: Improper Input Validation
CAPEC
References (7)
| URL | Tag | Source |
|---|---|---|
| https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.7.0 | Release Notes | |
| https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-hvv8-5v86-r45x | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76 | 2022-12-08 | |
| https://github.com/matrix-org/matrix-spec-proposals/pull/3488 | 2022-12-08 |
| URL | Date | SRC |
|---|---|---|
| https://security.gentoo.org/glsa/202210-35 | 2022-12-08 | |
| https://access.redhat.com/security/cve/CVE-2022-39236 | 2022-10-25 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2135391 | 2022-10-25 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Matrix Search vendor "Matrix" | Javascript Sdk Search vendor "Matrix" for product "Javascript Sdk" | >= 17.1.0 < 19.7.0 Search vendor "Matrix" for product "Javascript Sdk" and version " >= 17.1.0 < 19.7.0" | node.js |
Affected
| ||||||
| Matrix Search vendor "Matrix" | Javascript Sdk Search vendor "Matrix" for product "Javascript Sdk" | 17.1.0 Search vendor "Matrix" for product "Javascript Sdk" and version "17.1.0" | rc1, node.js |
Affected
| ||||||