CVE-2022-39251 — Improper Authentication in Matrix-js-sdk

CWE-287 — Improper Authentication CWE-322 — Key Exchange without Entity Authentication11 documents9 sources

Severity

7.5HIGHNVD

CNA8.6OSV5.5

EPSS

0.4%

top 41.50%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Matrix-org Matrix-js-sdk Matrix Javascript SDK Mozilla Thunderbird

Timeline

PublishedSep 28

Latest updateDec 7

Description

Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. Prior to version 19.7.0, an attacker cooperating with a malicious homeserver can construct messages that legitimately appear to have come from another person, without any indication such as a grey shield. Additionally, a sophisticated attacker cooperating with a malicious homeserver could employ this vulnerability to perform a targeted attack in order to send fake to-device messages appearing to originate from another user. Th…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶NVDmatrix/javascript_sdk< 19.7.0

▶CVEListV5matrix-org/matrix-js-sdk< 19.7.0

▶npmmatrix-org/matrix-js-sdk< 19.7.0

▶Ubuntumozilla/thunderbird< 1:102.4.2+build2-0ubuntu0.18.04.1+2

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

thunderbird vulnerabilities↗2022-11-11

▶

OSV

matrix-js-sdk subject to user spoofing via Olm/Megolm protocol confusion↗2022-09-30

▶

GHSA

matrix-js-sdk subject to user spoofing via Olm/Megolm protocol confusion↗2022-09-30

▶

CVEList

Matrix Javascript SDK vulnerable to Olm/Megolm protocol confusion↗2022-09-28

▶

OSV

CVE-2022-39251: Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript↗2022-09-28

▶

📋Vendor Advisories

Ubuntu

Thunderbird vulnerabilities↗2022-11-11

▶

Red Hat

Mozilla: Matrix SDK bundled with Thunderbird vulnerable to an impersonation attack↗2022-09-28

▶

Debian

CVE-2022-39251: node-matrix-js-sdk - Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. Prior to v...↗2022

▶

Mozilla

Mozilla Foundation Security Advisory 2022-43: CVE-2022-39251↗

▶

📄Research Papers

arXiv

The Matrix Reloaded: A Mechanized Formal Analysis of the Matrix Cryptographic Suite↗2024-12-07

▶