CVE-2024-42347

matrix-react-sdk is a react-based SDK for inserting a Matrix chat/voip client into a web page. A malicious homeserver could manipulate a user's account data to cause the client to enable URL previews in end-to-end encrypted rooms, in which case any URLs in encrypted messages would be sent to the server. This was patched in matrix-react-sdk 3.105.0. Deployments that trust their homeservers, as well as closed federations of trusted servers, are not affected. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Configurations

Configuration 1 (hide)

cpe:2.3:a:matrix:matrix-react-sdk:*:*:*:*:*:*:*:*

History

12 Aug 2024, 18:52

Type Values Removed Values Added
CWE NVD-CWE-noinfo
References () https://github.com/matrix-org/matrix-react-sdk/releases/tag/v3.105.1 - () https://github.com/matrix-org/matrix-react-sdk/releases/tag/v3.105.1 - Release Notes
References () https://github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-f83w-wqhc-cfp4 - () https://github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-f83w-wqhc-cfp4 - Vendor Advisory
CVSS v2 : unknown
v3 : 7.7
v2 : unknown
v3 : 6.5
First Time Matrix matrix-react-sdk
Matrix
CPE cpe:2.3:a:matrix:matrix-react-sdk:*:*:*:*:*:*:*:*

07 Aug 2024, 15:17

Type Values Removed Values Added
Summary
  • (es) Matrix-react-sdk es un SDK basado en reacción para insertar un cliente de chat/voip Matrix en una página web. Un servidor doméstico malicioso podría manipular los datos de la cuenta de un usuario para hacer que el cliente habilite vistas previas de URL en salas cifradas de extremo a extremo, en cuyo caso cualquier URL de los mensajes cifrados se enviaría al servidor. Esto fue parcheado en Matrix-react-sdk 3.105.0. Las implementaciones que confían en sus servidores domésticos, así como las federaciones cerradas de servidores confiables, no se ven afectadas. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad.

06 Aug 2024, 18:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-08-06 18:15

Updated : 2024-08-12 18:52


NVD link : CVE-2024-42347

Mitre link : CVE-2024-42347

CVE.ORG link : CVE-2024-42347


JSON object : View

Products Affected

matrix

  • matrix-react-sdk
CWE
NVD-CWE-noinfo CWE-359

Exposure of Private Personal Information to an Unauthorized Actor