CVE-2022-36059Prototype Pollution in Matrix-js-sdk

CWE-1321Prototype PollutionCWE-440Expected Behavior Violation13 documents9 sources
Severity
5.3MEDIUMNVD
CNA8.2OSV8.8
EPSS
0.6%
top 31.46%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Matrix-org Matrix-js-sdkMozilla ThunderbirdMatrix Javascript SDK
Timeline
PublishedMar 28
Latest updateMar 30

Description

matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. In versions prior to 19.4.0 events sent with special strings in key places can temporarily disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer's ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer. This issue has been fixed in matrix-js-sdk 19.4.0 and users are

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages5 packages

NVDmatrix/javascript_sdk< 19.4.0
CVEListV5matrix-org/matrix-js-sdk< 19.4.0
npmmatrix-org/matrix-js-sdk< 19.4.0+1
Debianmozilla/thunderbird< 1:102.2.1-1+2
Ubuntumozilla/thunderbird< 1:102.2.2+build1-0ubuntu0.18.04.1+2

🔴Vulnerability Details

7
OSV
Prototype pollution in matrix-js-sdk (part 2)2023-03-30
GHSA
Prototype pollution in matrix-js-sdk (part 2)2023-03-30
GHSA
matrix-js-sdk Prototype Pollution vulnerability2023-03-28
CVEList
Prototype pollution in matrix-js-sdk2023-03-28
OSV
matrix-js-sdk Prototype Pollution vulnerability2023-03-28

📋Vendor Advisories

4
Ubuntu
Thunderbird vulnerabilities2022-10-07
Red Hat
Mozilla: Matrix SDK bundled with Thunderbird vulnerable to denial-of-service attack2022-08-31
Debian
CVE-2022-36059: node-matrix-js-sdk - matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. I...2022
Mozilla
Mozilla Foundation Security Advisory 2022-38: CVE-2022-36059

💬Community

1
Bugzilla
Update matrix-js-sdk to v19.4.02022-08-29
CVE-2022-36059 — Prototype Pollution in Matrix-js-sdk | cvebase