WEB APPLICATION VULNERABILITIES SCA (Software Composition Analysis)

CVE-2021-40823 Vulnerability in npm package matrix-js-sdk

Description

A logic error in the room key sharing functionality of matrix-js-sdk (aka Matrix Javascript SDK) before 12.4.1 allows a malicious Matrix homeserver present in an encrypted room to steal room encryption keys (via crafted Matrix protocol messages) that were originally sent by affected Matrix clients participating in that room. This allows the homeserver to decrypt end-to-end encrypted messages sent by affected clients.

Remediation

References

https://github.com/matrix-org/matrix-js-sdk/releases/tag/v12.4.1

https://matrix.org/blog/2021/09/13/vulnerability-disclosure-key-sharing

Related Vulnerabilities

CVE-2021-43838 Vulnerability in npm package jsx-slack

CVE-2022-29167 Vulnerability in maven package org.webjars.npm:hawk

CVE-2019-10311 Vulnerability in maven package org.jenkins-ci.plugins:ansible-tower

CVE-2017-3586 Vulnerability in maven package mysql:mysql-connector-java

CVE-2018-1000616 Vulnerability in maven package org.onosproject:onos-cli

Severity

Medium

Classification

CWE-290 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Third Party Advisory Vendor Advisory