Lucene search

GoogleOSV:GHSA-2X9C-QWGF-94XR

HistoryMar 28, 2023 - 7:57 p.m.

matrix-react-sdk Prototype pollution vulnerability

2023-03-2819:57:57

Google

osv.dev

vulnerability

matrix-react-sdk

impact

fixed

version 3.53.0

upgrade

prototype pollution

security advisory

javascript

8.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

0.0005 Low

EPSS

Percentile

18.2%

JSON

Impact

Events sent with special strings in key places can temporarily disrupt or impede the matrix-react-sdk from functioning properly, such as by causing room or event tile crashes. The remainder of the application can appear functional, though certain rooms/events will not be rendered.

Patches

This is fixed in matrix-react-sdk 3.53.0

Workarounds

There are no workarounds. Please upgrade immediately.

References

https://learn.snyk.io/lessons/prototype-pollution/javascript/

For more information

If you have any questions or comments about this advisory please email us at security at matrix.org.

CPENameOperatorVersion
matrix-react-sdklt3.53.0

CPE	Name	Operator	Version
	matrix-react-sdk	lt	3.53.0

References

github.com/matrix-org/matrix-react-sdk

github.com/matrix-org/matrix-react-sdk/releases/tag/v3.53.0

github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-2x9c-qwgf-94xr

nvd.nist.gov/vuln/detail/CVE-2022-36060

8.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

0.0005 Low

EPSS

Percentile

18.2%

JSON

Related for OSV:GHSA-2X9C-QWGF-94XR