matrix-appservice-bridge doesn't verify the sub parameter of an openId token exhange, allowing unauthorized access to provisioning APIs
CVE-2023-38691

5MEDIUM

Key Information:

Vendor: Matrix-org
Status: Matrix-appservice-bridge
Vendor: CVE Published:; 4 August 2023

What is CVE-2023-38691?

matrix-appservice-bridge provides an API for setting up bridges. Starting in version 4.0.0 and prior to versions 8.1.2 and 9.0.1, a malicious Matrix server can use a foreign user's MXID in an OpenID exchange, allowing a bad actor to impersonate users when using the provisioning API. The library does not check that the servername part of the sub parameter (containing the user's claimed MXID) is the the same as the servername we are talking to. A malicious actor could spin up a server on any given domain, respond with a sub parameter according to the user they want to act as and use the resulting token to perform provisioning requests. Versions 8.1.2 and 9.0.1 contain a patch. As a workaround, disable the provisioning API.

Affected Version(s)

matrix-appservice-bridge >= 4.0.0, < 8.1.2 < 4.0.0, 8.1.2

matrix-appservice-bridge = 9.0.0 = 9.0.0

References

https://github.com/matrix-org/matrix-appservice-bridge/se...

x_refsource_CONFIRM

https://github.com/matrix-org/matrix-appservice-bridge/co...

x_refsource_MISC

CVSS V3.1

Score:

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 4, 2023
Vulnerability Reserved
Jul 24, 2023

Matrix-org

What is CVE-2023-38691?

Affected Version(s)

References

CVSS V3.1

Timeline