Main Vulnerability Database Vulnerabilities #VU98728

#VU98728 Missing Authorization in Matrix Javascript SDK - CVE-2024-47080

Published: October 16, 2024

Vulnerability identifier: #VU98728

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2024-47080

CWE-ID: CWE-862

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Matrix Javascript SDK

Software vendor:
Matrix.org

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to the way the MatrixClient.sendSharedHistoryKeys method shares historical message keys with newly invited users. A remote attacker can inject their own devices to receive sensitive historical keys and access past messages in the room without proper security checks.

Remediation

Install updates from vendor's website.

External links

https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-4jf8-g8wp-cx7c
https://github.com/matrix-org/matrix-spec-proposals/pull/3061
https://github.com/matrix-org/matrix-js-sdk/commit/2fb1e659c81f75253c047832dc9dcc2beddfac5f

#VU98728 Missing Authorization in Matrix Javascript SDK - CVE-2024-47080

Description

Remediation

External links

Please verify you're human