GHSA-5crw-6j7v-xc72
Suggest an improvement- Source
- https://github.com/advisories/GHSA-5crw-6j7v-xc72
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-5crw-6j7v-xc72/GHSA-5crw-6j7v-xc72.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-5crw-6j7v-xc72
- Aliases
- Related
- Published
- 2023-09-08T13:18:23Z
- Modified
- 2024-08-21T14:56:38.762811Z
- Severity
-
- 4.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N CVSS Calculator
- Summary
- matrix-media-repo: Unsafe media served inline on download endpoints
- Details
-
Impact
A malicious user can upload an SVG image containing JavaScript to their server. When matrix-media-repo is asked to serve that media via the
/_matrix/media/(r0|v3)/downloadendpoint, it would be served with aContent-Dispositionofinline. This can allow JavaScript to run in the browser if a client links to the/downloadendpoint directly.Server operators which do not share a domain between matrix-media-repo and other services are not affected, but are encouraged to upgrade regardless.
Patches
https://github.com/turt2live/matrix-media-repo/commit/77ec2354e8f46d5ef149d1dcaf25f51c04149137 and https://github.com/turt2live/matrix-media-repo/commit/bf8abdd7a5371118e280c65a8e0ec2b2e9bdaf59 fix the issue. Operators should upgrade to v1.3.0 as soon as possible.
Workarounds
The
Content-Dispositionheader can be overridden by the reverse proxy in front of matrix-media-repo to always useattachment, defeating this issue at the cost of "worse" user experience when clicking download links.References
https://developer.mozilla.org/en-US/docs/Web/SVG/Element/script
- Database specific
{ "nvd_published_at": "2023-09-08T20:15:14Z", "cwe_ids": [ "CWE-79" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2023-09-08T13:18:23Z" }- References
-
- https://github.com/turt2live/matrix-media-repo/security/advisories/GHSA-5crw-6j7v-xc72
- https://nvd.nist.gov/vuln/detail/CVE-2023-41318
- https://github.com/turt2live/matrix-media-repo/commit/77ec2354e8f46d5ef149d1dcaf25f51c04149137
- https://github.com/turt2live/matrix-media-repo/commit/bf8abdd7a5371118e280c65a8e0ec2b2e9bdaf59
- https://developer.mozilla.org/en-US/docs/Web/SVG/Element/script
- https://github.com/turt2live/matrix-media-repo
Affected packages
Go / github.com/turt2live/matrix-media-repo
Package
- Name
- github.com/turt2live/matrix-media-repo
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/turt2live/matrix-media-repo