CVE-2023-28427

Name
CVE-2023-28427
Description
matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. In versions prior to 24.0.0 events sent with special strings in key places can temporarily disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer's ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer. This vulnerability is distinct from GHSA-rfv9-x7hh-xc32 which covers a similar issue. The issue has been patched in matrix-js-sdk 24.0.0 and users are advised to upgrade. There are no known workarounds for this vulnerability.
NVD Severity
high
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://matrix.org/blog/2023/03/28/security-releases-matrix-js-sdk-24-0-0-and-matrix-react-sdk-3-69-0
MISC https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-mwq8-fjpf-c2gr
MISC https://www.debian.org/security/2023/dsa-5392
MISC https://lists.debian.org/debian-lts-announce/2023/04/msg00027.html
MISC https://security.gentoo.org/glsa/202305-36

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:matrix:javascript_sdk:*:*:*:*:*:node.js:*:* javascript_sdk >= None < 24.0.0

Vulnerable and fixed packages

Source package Branch Version Maintainer Status