matrix-react-sdk is a react-based SDK for inserting a Matrix chat/voip client into a web page. A malicious homeserver could manipulate a user's account data to cause the client to enable URL previews in end-to-end encrypted rooms, in which case any URLs in encrypted messages would be sent to the server. This was patched in matrix-react-sdk 3.105.0. Deployments that trust their homeservers, as well as closed federations of trusted servers, are not affected. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References
Link | Resource |
---|---|
https://github.com/matrix-org/matrix-react-sdk/releases/tag/v3.105.1 | Release Notes |
https://github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-f83w-wqhc-cfp4 | Vendor Advisory |
Configurations
History
12 Aug 2024, 18:52
Type | Values Removed | Values Added |
---|---|---|
CWE | NVD-CWE-noinfo | |
References | () https://github.com/matrix-org/matrix-react-sdk/releases/tag/v3.105.1 - Release Notes | |
References | () https://github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-f83w-wqhc-cfp4 - Vendor Advisory | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.5 |
First Time |
Matrix matrix-react-sdk
Matrix |
|
CPE | cpe:2.3:a:matrix:matrix-react-sdk:*:*:*:*:*:*:*:* |
07 Aug 2024, 15:17
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
06 Aug 2024, 18:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-08-06 18:15
Updated : 2024-08-12 18:52
NVD link : CVE-2024-42347
Mitre link : CVE-2024-42347
CVE.ORG link : CVE-2024-42347
JSON object : View
Products Affected
matrix
- matrix-react-sdk
CWE