Matrix React SDK Vulnerability Could Expose End-to-End Encrypted Messages
CVE-2024-42347

6.5MEDIUM

Key Information:

Vendor: matrix-react-sdk
Status: Matrix-react-sdk
Vendor: CVE Published:; 6 August 2024

🔔 Create matrix-react-sdk Vulnerability Alert

What is CVE-2024-42347?

matrix-react-sdk is a react-based SDK for inserting a Matrix chat/voip client into a web page. A malicious homeserver could manipulate a user's account data to cause the client to enable URL previews in end-to-end encrypted rooms, in which case any URLs in encrypted messages would be sent to the server. This was patched in matrix-react-sdk 3.105.0. Deployments that trust their homeservers, as well as closed federations of trusted servers, are not affected. Users are advised to upgrade. There are no known workarounds for this vulnerability.

References

https://github.com/matrix-org/matrix-react-sdk/security/a...

https://github.com/matrix-org/matrix-react-sdk/releases/t...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 6, 2024