CVE-2023-28427Prototype Pollution in Matrix-js-sdk

CWE-1321Prototype Pollution8 documents7 sources
Severity
8.2HIGHNVD
GHSA5.3OSV5.3
EPSS
0.4%
top 37.09%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Matrix-org Matrix-js-sdkMozilla ThunderbirdMatrix Javascript SDK
Timeline
PublishedMar 28
Latest updateMar 30

Description

matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. In versions prior to 24.0.0 events sent with special strings in key places can temporarily disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer's ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer. This vulnerability is distinct from GHSA-rfv9-x7hh-xc32 which c

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:HExploitability: 3.9 | Impact: 4.2

Affected Packages4 packages

NVDmatrix/javascript_sdk< 24.0.0
CVEListV5matrix-org/matrix-js-sdk< 24.0.0
Debianmozilla/thunderbird< 1:102.10.0-1~deb11u1+3

🔴Vulnerability Details

4
OSV
Prototype pollution in matrix-js-sdk (part 2)2023-03-30
GHSA
Prototype pollution in matrix-js-sdk (part 2)2023-03-30
OSV
CVE-2023-28427: matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript2023-03-28
CVEList
Prototype pollution in matrix-js-sdk2023-03-28

📋Vendor Advisories

3
Red Hat
Mozilla: Matrix SDK bundled with Thunderbird vulnerable to denial-of-service attack2023-03-28
Debian
CVE-2023-28427: node-matrix-js-sdk - matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. I...2023
Mozilla
Mozilla Foundation Security Advisory 2023-12: CVE-2023-28427
CVE-2023-28427 — Prototype Pollution in Matrix-js-sdk | cvebase