Main Vulnerability Database SB2024101651

SB2024101651 - Missing authorization in Matrix Javascript SDK

Published: October 16, 2024

Security Bulletin ID SB2024101651

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Missing Authorization (CVE-ID: CVE-2024-47080)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to the way the MatrixClient.sendSharedHistoryKeys method shares historical message keys with newly invited users. A remote attacker can inject their own devices to receive sensitive historical keys and access past messages in the room without proper security checks.

Remediation

Install update from vendor's website.

References

https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-4jf8-g8wp-cx7c
https://github.com/matrix-org/matrix-spec-proposals/pull/3061
https://github.com/matrix-org/matrix-js-sdk/commit/2fb1e659c81f75253c047832dc9dcc2beddfac5f