13 matches found
CVE-2023-38691
matrix-appservice-bridge provides an API for setting up bridges. Starting in version 4.0.0 and prior to versions 8.1.2 and 9.0.1, a malicious Matrix server can use a foreign user's MXID in an OpenID exchange, allowing a bad actor to impersonate users when using the provisioning API. The library...
CVE-2021-32659
Matrix-appservice-bridge is the bridging service for the Matrix communication program's application services. In versions 2.6.0 and earlier, if a bridge has room upgrade handling turned on in the configuration the roomUpgradeOpts key when instantiating a new Bridge instance., any m.room.tombstone...
matrix-appservice-irc (=0.36.0) potentially affected by CVE-2023-38691 via matrix-appservice-bridge (=6.0.0)
matrix-appservice-bridge NPM version =6.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on matrix-appservice-bridge and may be impacted: - matrix-appservice-irc =0.36.0 Source cves: CVE-2023-38691 Source advisory: OSV:GHSA-VC7J-H8XG-FV5X...
CVE-2023-38691
matrix-appservice-bridge provides an API for setting up bridges. Starting in version 4.0.0 and prior to versions 8.1.2 and 9.0.1, a malicious Matrix server can use a foreign user's MXID in an OpenID exchange, allowing a bad actor to impersonate users when using the provisioning API. The library...
Code injection
matrix-appservice-bridge provides an API for setting up bridges. Starting in version 4.0.0 and prior to versions 8.1.2 and 9.0.1, a malicious Matrix server can use a foreign user's MXID in an OpenID exchange, allowing a bad actor to impersonate users when using the provisioning API. The library...
CVE-2023-38691 matrix-appservice-bridge doesn't verify the sub parameter of an openId token exhange, allowing unauthorized access to provisioning APIs
matrix-appservice-bridge provides an API for setting up bridges. Starting in version 4.0.0 and prior to versions 8.1.2 and 9.0.1, a malicious Matrix server can use a foreign user's MXID in an OpenID exchange, allowing a bad actor to impersonate users when using the provisioning API. The library...
CVE-2023-38691 matrix-appservice-bridge doesn't verify the sub parameter of an openId token exhange, allowing unauthorized access to provisioning APIs
matrix-appservice-bridge provides an API for setting up bridges. Starting in version 4.0.0 and prior to versions 8.1.2 and 9.0.1, a malicious Matrix server can use a foreign user's MXID in an OpenID exchange, allowing a bad actor to impersonate users when using the provisioning API. The library...
CVE-2023-38691
CVE-2023-38691 affects matrix-appservice-bridge. The issue: the bridge does not verify that the servername in the OpenID sub claim matches the target server, allowing a malicious Matrix server to impersonate users via the provisioning API. Affected versions are 4.0.0 up to 8.1.1 and 9.0.0; patch ...
Matrix-appservice-bridge Authorization Issues Vulnerability
Matrix-appservice-bridge is an open source service. It is used to bridge application services for the Matrix communication program. Matrix-appservice-bridge suffers from an authorization issue vulnerability that stems from the fact that a malicious Matrix server can use an external user's MXID in...
@rocket.chat/hubot-freddie (=0.0.7), @types/matrix-appservice-bridge (=2.0.0) +6 more potentially affected by CVE-2021-32659 via matrix-appservice-bridge (>=0.1.5 <=1.13.2)
matrix-appservice-bridge NPM version =0.1.5, =0.0.2, =0.0.1, =0.0.2, =1.0.0, =1.15.0 - matrix-puppet-hangouts =0.0.4 Source cves: CVE-2021-32659 Source advisory: OSV:GHSA-35G4-QX3C-VJHX...
GHSA-35G4-QX3C-VJHX Automatic room upgrade handling can be used maliciously to bridge a room non-consentually
Impact If a bridge has room upgrade handling turned on in the configuration the roomUpgradeOpts key when instantiating a new Bridge instance., any m.room.tombstone event it encounters will be used to unbridge the current room and bridge into the target room. However, the target room m.room.create...
CVE-2021-32659
Matrix-appservice-bridge is the bridging service for the Matrix communication program's application services. In versions 2.6.0 and earlier, if a bridge has room upgrade handling turned on in the configuration the roomUpgradeOpts key when instantiating a new Bridge instance., any m.room.tombstone...
Matrix-appservice-bridge 访问控制错误漏洞
Matrix-appservice-bridge is an open source service. It is used for bridging application services for the Matrix communication program. A security vulnerability exists in Matrix-appservice-bridge, which stems from the fact that in version 2.6.0 and earlier, if the bridge is configured with room...