CVE-2023-28103

Name
CVE-2023-28103
Description
matrix-react-sdk is a Matrix chat protocol SDK for React Javascript. In certain configurations, data sent by remote servers containing special strings in key locations could cause modifications of the `Object.prototype`, disrupting matrix-react-sdk functionality, causing denial of service and potentially affecting program logic. This is fixed in matrix-react-sdk 3.69.0 and users are advised to upgrade. There are no known workarounds for this vulnerability. Note this advisory is distinct from GHSA-2x9c-qwgf-94xr which refers to a similar issue.
NVD Severity
high
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://matrix.org/blog/2023/03/28/security-releases-matrix-js-sdk-24-0-0-and-matrix-react-sdk-3-69-0
MISC https://github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-6g43-88cp-w5gv

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:matrix-react-sdk_project:matrix-react-sdk:*:*:*:*:*:node.js:*:* matrix-react-sdk >= None < 3.69.0

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
riot-web edge-community 1.11.26-r0 Lauren N. Liberda <lauren@selfisekai.rocks> fixed
riot-web 3.17-community 1.11.26-r0 Lauren N. Liberda <lauren@selfisekai.rocks> fixed
element-web edge-community 1.11.26-r0 None fixed
element-web 3.22-community 1.11.26-r0 None fixed
element-web 3.21-community 1.11.26-r0 None fixed
element-web 3.20-community 1.11.26-r0 None fixed
element-web 3.19-community 1.11.26-r0 None fixed
element-web 3.18-community 1.11.26-r0 None fixed