CVE-2022-39236

{"id": "CVE-2022-39236", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2022-09-28T17:15:11.133", "references": [{"url": "https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.7.0", "tags": ["Release Notes", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-hvv8-5v86-r45x", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/matrix-org/matrix-spec-proposals/pull/3488", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://security.gentoo.org/glsa/202210-35", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.7.0", "tags": ["Release Notes", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-hvv8-5v86-r45x", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/matrix-org/matrix-spec-proposals/pull/3488", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://security.gentoo.org/glsa/202210-35", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-20"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. Starting with version 17.1.0-rc.1, improperly formed beacon events can disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer's ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer. This is patched in matrix-js-sdk v19.7.0. Redacting applicable events, waiting for the sync processor to store data, and restarting the client are possible workarounds. Alternatively, redacting the applicable events and clearing all storage will fix the further perceived issues. Downgrading to an unaffected version, noting that such a version may be subject to other vulnerabilities, will additionally resolve the issue."}, {"lang": "es", "value": "Matrix Javascript SDK es el SDK cliente-servidor de Matrix para JavaScript. A partir de la versi\u00f3n 17.1.0-rc.1, los eventos de baliza formados inapropiadamente pueden interrumpir o impedir que matrix-js-sdk funcione apropiadamente, afectando potencialmente la capacidad del consumidor para procesar datos de forma segura. Obs\u00e9rvese que matrix-js-sdk puede parecer que funciona normalmente pero estar excluyendo o corrompiendo los datos en tiempo de ejecuci\u00f3n presentados al consumidor. Esto est\u00e1 parcheado en matrix-js-sdk v19.7.0. Redactar los eventos aplicables, esperar a que el procesador de sincronizaci\u00f3n almacene los datos y reiniciar el cliente son posibles mitigaciones. Alternativamente, redactar los eventos aplicables y borrar todo el almacenamiento corregir\u00e1 los problemas percibidos. La actualizaci\u00f3n a una versi\u00f3n no afectada, teniendo en cuenta que dicha versi\u00f3n puede estar sujeta a otras vulnerabilidades, tambi\u00e9n resolver\u00e1 el problema"}], "lastModified": "2024-11-21T07:17:50.800", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:matrix:javascript_sdk:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "68424611-6925-4DD4-B193-52CE6264CACB", "versionEndExcluding": "19.7.0", "versionStartIncluding": "17.1.0"}, {"criteria": "cpe:2.3:a:matrix:javascript_sdk:17.1.0:rc1:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "AEA15F9B-21FD-432C-B484-1AB439E5BE82"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}