Lucene search
Veracode Vulnerability DatabaseVERACODE:37349HistorySep 30, 2022 - 6:19 a.m.
Authentication Bypass
2022-09-3006:19:49
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
12
authentication bypass
vulnerability
cross-signing
keys
confusion
software
matrix-js-sdk
0.001 Low
EPSS
Percentile
45.5%
matrix-js-sdk is vulnerable to authentication bypass. A malicious server admin is able to break emoji-based verification when cross-signing is in use, authenticating themselves instead of the target user being verified. The vulnerability is possible because the library confuses device IDs and cross-signing keys together.
References
github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76
github.com/matrix-org/matrix-js-sdk/pull/2712
github.com/matrix-org/matrix-js-sdk/releases/tag/v19.7.0
github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-5w8r-8pgj-5jmf
matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients
security.gentoo.org/glsa/202210-35
Related
redhatcve
redhatcve
CVE-2022-39250
2022-10-17 14:18:56
alpinelinux
alpinelinux
CVE-2022-39250
2022-09-29 13:15:09
github
github
cve
cve
CVE-2022-39250
2022-09-29 13:15:09
prion
prion
Cross site scripting
2022-09-29 13:15:00
osv
osv
matrix-js-sdk subject to user impersonation due to key/device identifier confusion in SAS verification
2022-09-30 22:46:50
CVE-2022-39250
2022-09-29 13:15:09
Important: thunderbird security update
2022-10-25 00:00:00
nvd
nvd
CVE-2022-39250
2022-09-29 13:15:09
ubuntucve
ubuntucve
CVE-2022-39250
2022-09-29 00:00:00
cvelist
cvelist
debiancve
debiancve
CVE-2022-39250
2022-09-29 13:15:09
freebsd
freebsd
Matrix clients -- several vulnerabilities
2022-09-23 00:00:00
nessus
nessus
Mozilla Thunderbird < 102.3.1
2022-09-29 00:00:00
Slackware Linux 15.0 / current mozilla-thunderbird Multiple Vulnerabilities (SSA:2022-273-01)
2022-09-30 00:00:00
Fedora 35 : thunderbird (2022-1454bee2fa)
2022-12-22 00:00:00
kaspersky
kaspersky
KLA19266 Multiple vulnerabilities in Mozilla Thunderbird
2022-09-28 00:00:00
slackware
slackware
[slackware-security] mozilla-thunderbird
2022-09-30 18:00:22
openvas
openvas
Mozilla Thunderbird Security Advisory (MFSA2022-43) - Mac OS X
2022-09-30 00:00:00
Mageia: Security Advisory (MGASA-2022-0355)
2022-10-03 00:00:00
Mozilla Thunderbird Security Advisory (MFSA2022-43) - Windows
2022-09-30 00:00:00
mozilla
mozilla
Security Vulnerabilities fixed in Thunderbird 102.3.1 — Mozilla
2022-09-28 00:00:00
mageia
mageia
Updated thunderbird packages fix security vulnerability
2022-10-01 20:48:24
altlinux
altlinux
Security fix for the ALT Linux 10 package thunderbird version 102.3.1-alt1
2022-10-10 00:00:00
oraclelinux
oraclelinux
thunderbird security update
2022-10-27 00:00:00
thunderbird security update
2022-10-27 00:00:00
thunderbird security update
2022-10-27 00:00:00
almalinux
almalinux
Important: thunderbird security update
2022-10-25 00:00:00
Important: thunderbird security update
2022-10-25 00:00:00
redhat
redhat
(RHSA-2022:7178) Important: thunderbird security update
2022-10-25 13:48:26
(RHSA-2022:7183) Important: thunderbird security update
2022-10-25 14:13:27
(RHSA-2022:7184) Important: thunderbird security update
2022-10-25 14:16:46
gentoo
gentoo
Mozilla Thunderbird: Multiple Vulnerabilities
2022-10-31 00:00:00
rocky
rocky
thunderbird security update
2022-10-25 14:29:50
suse
suse
Security update for MozillaThunderbird (important)
2022-10-27 00:00:00
ubuntu
ubuntu
Thunderbird vulnerabilities
2022-11-11 00:00:00
amazon
amazon
Important: thunderbird
2022-12-01 20:32:00
Important: thunderbird
2022-12-01 20:32:00