CVE-2023-38691 matrix-appservice-bridge doesn't verify the sub parameter of an openId token exhange, allowing unauthorized access to provisioning APIs

2023-08-0416:34:54

CWE-287

GitHub_M

www.cve.org

matrix-appservice-bridge

openid

vulnerability

unauthorized access

provisioning api

5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

0.0005 Low

EPSS

Percentile

18.1%

JSON

matrix-appservice-bridge provides an API for setting up bridges. Starting in version 4.0.0 and prior to versions 8.1.2 and 9.0.1, a malicious Matrix server can use a foreign user’s MXID in an OpenID exchange, allowing a bad actor to impersonate users when using the provisioning API. The library does not check that the servername part of the sub parameter (containing the user’s claimed MXID) is the the same as the servername we are talking to. A malicious actor could spin up a server on any given domain, respond with a sub parameter according to the user they want to act as and use the resulting token to perform provisioning requests. Versions 8.1.2 and 9.0.1 contain a patch. As a workaround, disable the provisioning API.

CNA Affected

[
  {
    "vendor": "matrix-org",
    "product": "matrix-appservice-bridge",
    "versions": [
      {
        "version": ">= 4.0.0, < 8.1.2",
        "status": "affected"
      },
      {
        "version": "= 9.0.0",
        "status": "affected"
      }
    ]
  }
]