CVE-2023-38691

2023-08-0417:15:11

CWE-287

[email protected]

web.nvd.nist.gov

2400

matrix-appservice-bridge

api

vulnerability

openid

impersonation

security

nvd

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.0005 Low

EPSS

Percentile

18.3%

JSON

matrix-appservice-bridge provides an API for setting up bridges. Starting in version 4.0.0 and prior to versions 8.1.2 and 9.0.1, a malicious Matrix server can use a foreign user’s MXID in an OpenID exchange, allowing a bad actor to impersonate users when using the provisioning API. The library does not check that the servername part of the sub parameter (containing the user’s claimed MXID) is the the same as the servername we are talking to. A malicious actor could spin up a server on any given domain, respond with a sub parameter according to the user they want to act as and use the resulting token to perform provisioning requests. Versions 8.1.2 and 9.0.1 contain a patch. As a workaround, disable the provisioning API.

Affected configurations

Vulners

NVD

Node

matrix-orgmatrix_appservice_bridgeRange4.0.0–8.1.2

matrix-orgmatrix_appservice_bridgeMatch9.0.0

CPENameOperatorVersion
matrix:matrix-appservice-bridgematrix matrix-appservice-bridgelt8.1.2
matrix:matrix-appservice-bridgematrix matrix-appservice-bridgeeq9.0.0

CPE	Name	Operator	Version
matrix:matrix-appservice-bridge	matrix matrix-appservice-bridge	lt	8.1.2
matrix:matrix-appservice-bridge	matrix matrix-appservice-bridge	eq	9.0.0

CNA Affected

[
  {
    "vendor": "matrix-org",
    "product": "matrix-appservice-bridge",
    "versions": [
      {
        "version": ">= 4.0.0, < 8.1.2",
        "status": "affected"
      },
      {
        "version": "= 9.0.0",
        "status": "affected"
      }
    ]
  }
]