Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2023-28427
PUBLISHED
More InfoOfficial Page
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
View Known Exploited Vulnerability (KEV) details
Published At-28 Mar, 2023 | 20:32
Updated At-18 Feb, 2025 | 20:03
Rejected At-
▼CVE Numbering Authority (CNA)
Prototype pollution in matrix-js-sdk

matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. In versions prior to 24.0.0 events sent with special strings in key places can temporarily disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer's ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer. This vulnerability is distinct from GHSA-rfv9-x7hh-xc32 which covers a similar issue. The issue has been patched in matrix-js-sdk 24.0.0 and users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected Products
Vendor
The Matrix.org Foundationmatrix-org
Product
matrix-js-sdk
Versions
Affected
  • < 24.0.0
Problem Types
TypeCWE IDDescription
CWECWE-1321CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Type: CWE
CWE ID: CWE-1321
Description: CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Metrics
VersionBase scoreBase severityVector
3.18.2HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Version: 3.1
Base score: 8.2
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-mwq8-fjpf-c2gr
x_refsource_CONFIRM
https://matrix.org/blog/2023/03/28/security-releases-matrix-js-sdk-24-0-0-and-matrix-react-sdk-3-69-0
x_refsource_MISC
https://www.debian.org/security/2023/dsa-5392
N/A
https://lists.debian.org/debian-lts-announce/2023/04/msg00027.html
N/A
https://security.gentoo.org/glsa/202305-36
N/A
Hyperlink: https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-mwq8-fjpf-c2gr
Resource:
x_refsource_CONFIRM
Hyperlink: https://matrix.org/blog/2023/03/28/security-releases-matrix-js-sdk-24-0-0-and-matrix-react-sdk-3-69-0
Resource:
x_refsource_MISC
Hyperlink: https://www.debian.org/security/2023/dsa-5392
Resource: N/A
Hyperlink: https://lists.debian.org/debian-lts-announce/2023/04/msg00027.html
Resource: N/A
Hyperlink: https://security.gentoo.org/glsa/202305-36
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-mwq8-fjpf-c2gr
x_refsource_CONFIRM
x_transferred
https://matrix.org/blog/2023/03/28/security-releases-matrix-js-sdk-24-0-0-and-matrix-react-sdk-3-69-0
x_refsource_MISC
x_transferred
https://www.debian.org/security/2023/dsa-5392
x_transferred
https://lists.debian.org/debian-lts-announce/2023/04/msg00027.html
x_transferred
https://security.gentoo.org/glsa/202305-36
x_transferred
Hyperlink: https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-mwq8-fjpf-c2gr
Resource:
x_refsource_CONFIRM
x_transferred
Hyperlink: https://matrix.org/blog/2023/03/28/security-releases-matrix-js-sdk-24-0-0-and-matrix-react-sdk-3-69-0
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://www.debian.org/security/2023/dsa-5392
Resource:
x_transferred
Hyperlink: https://lists.debian.org/debian-lts-announce/2023/04/msg00027.html
Resource:
x_transferred
Hyperlink: https://security.gentoo.org/glsa/202305-36
Resource:
x_transferred
2. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Details not found