CVE-2023-28427

matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. In versions prior to 24.0.0 events sent with special strings in key places can temporarily disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer's ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer. This vulnerability is distinct from GHSA-rfv9-x7hh-xc32 which covers a similar issue. The issue has been patched in matrix-js-sdk 24.0.0 and users are advised to upgrade. There are no known workarounds for this vulnerability.

Database specific

{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/28xxx/CVE-2023-28427.json",
    "cwe_ids": [
        "CWE-1321"
    ]
}

References

Affected packages

Git / github.com/matrix-org/matrix-js-sdk

Affected ranges

Type: GIT
Repo: https://github.com/matrix-org/matrix-js-sdk
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

c87048bd9f6e01681ec1ea048101ab4b3a6215e3

Affected versions

v0.*

v0.1.0

v0.1.1

v0.10.2

v0.10.2-rc.1

v0.10.3

v0.10.3-rc.1

v0.10.5

v0.10.5-rc.1

v0.10.7

v0.10.7-rc.1

v0.11.0

v0.11.0-rc.1

v0.2.0

v0.2.1

v0.2.2

v0.4.1

v0.4.2

v0.5.0

v0.5.1

v0.5.2

v0.5.3

v0.5.4

v0.5.5

v0.5.6

v0.6.0-rc1

v0.6.0-rc2

v0.6.1

v0.6.2

v0.6.4

v0.6.4-rc.2

v0.7.1-rc.1

v0.7.10

v0.7.2

v0.7.4

v0.7.4-rc.1

v0.7.9

v0.8.0

v0.8.1

v0.8.1-rc.1

v0.8.2

v0.8.3

v0.8.3-rc.1

v1.*

v1.0.0

v1.0.0-rc.1

v1.0.0-rc.2

v2.*

v2.0.1

v2.0.1-rc.1

v2.0.1-rc.2

v2.4.1

v23.*

v23.5.0

v23.5.0-rc.1

v5.*

v5.0.1

v7.*

v7.1.0

v7.1.0-rc.1

v8.*

v8.0.0

v8.1.0

v8.1.0-rc.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-28427.json"