Lucene search

K
cvelistGitHub_MCVELIST:CVE-2023-28427
HistoryMar 28, 2023 - 8:32 p.m.

CVE-2023-28427 Prototype pollution in matrix-js-sdk

2023-03-2820:32:22
CWE-1321
GitHub_M
www.cve.org
matrix-js-sdk
javascript
prototype pollution

8.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

8.3 High

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

70.4%

matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. In versions prior to 24.0.0 events sent with special strings in key places can temporarily disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer’s ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer. This vulnerability is distinct from GHSA-rfv9-x7hh-xc32 which covers a similar issue. The issue has been patched in matrix-js-sdk 24.0.0 and users are advised to upgrade. There are no known workarounds for this vulnerability.

CNA Affected

[
  {
    "vendor": "matrix-org",
    "product": "matrix-js-sdk",
    "versions": [
      {
        "version": "< 24.0.0",
        "status": "affected"
      }
    ]
  }
]

8.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

8.3 High

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

70.4%