CVE-2023-28427
Prototype pollution in matrix-js-sdk
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. In versions prior to 24.0.0 events sent with special strings in key places can temporarily disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer's ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer. This vulnerability is distinct from GHSA-rfv9-x7hh-xc32 which covers a similar issue. The issue has been patched in matrix-js-sdk 24.0.0 and users are advised to upgrade. There are no known workarounds for this vulnerability.
The Mozilla Foundation Security Advisory describes this flaw as:
Thunderbird users who use the Matrix chat protocol were vulnerable to a denial-of-service attack.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2023-03-15 CVE Reserved
- 2023-03-28 CVE Published
- 2024-08-02 CVE Updated
- 2024-11-02 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CAPEC
References (7)
URL | Tag | Source |
---|---|---|
https://lists.debian.org/debian-lts-announce/2023/04/msg00027.html | ||
https://security.gentoo.org/glsa/202305-36 | ||
https://www.debian.org/security/2023/dsa-5392 |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Matrix Search vendor "Matrix" | Javascript Sdk Search vendor "Matrix" for product "Javascript Sdk" | < 24.0.0 Search vendor "Matrix" for product "Javascript Sdk" and version " < 24.0.0" | node.js |
Affected
|