阿里云漏洞库

漏洞描述

Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. Starting with version 17.1.0-rc.1, improperly formed beacon events can disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer's ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer. This is patched in matrix-js-sdk v19.7.0. Redacting applicable events, waiting for the sync processor to store data, and restarting the client are possible workarounds. Alternatively, redacting the applicable events and clearing all storage will fix the further perceived issues. Downgrading to an unaffected version, noting that such a version may be subject to other vulnerabilities, will additionally resolve the issue.

解决建议

建议您更新当前系统或软件至最新版，完成漏洞的修复。

参考链接
https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63...
https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.7.0
https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-hvv8-5v86-r45x
https://github.com/matrix-org/matrix-spec-proposals/pull/3488
https://security.gentoo.org/glsa/202210-35

受影响软件情况

1
#	类型	厂商	产品	版本	影响面
	运行在以下环境
	应用	matrix	javascript_sdk	*	From (including) 17.1.0	Up to (excluding) 19.7.0
	运行在以下环境
	应用	matrix	javascript_sdk	17.1.0	-
	运行在以下环境
	系统	alma_linux_8	thunderbird	*		Up to (excluding) 102.4.0-1.el8_6.alma.plus.1
	运行在以下环境
	系统	alma_linux_9	thunderbird	*		Up to (excluding) 102.4.0-1.el9_0.alma.plus
	运行在以下环境
	系统	alpine_3.16	riot-web	*		Up to (excluding) 1.11.7-r0
	运行在以下环境
	系统	alpine_3.17	riot-web	*		Up to (excluding) 1.11.7-r0
	运行在以下环境
	系统	alpine_3.18	element-web	*		Up to (excluding) 1.11.7-r0
	运行在以下环境
	系统	alpine_3.19	element-web	*		Up to (excluding) 1.11.7-r0
	运行在以下环境
	系统	amazon_2	thunderbird	*		Up to (excluding) 102.4.0-1.amzn2.0.1
	运行在以下环境
	系统	anolis_os_7	thunderbird	*		Up to (excluding) 102.4.0-1.0.1
	运行在以下环境
	系统	anolis_os_8	thunderbird	*		Up to (excluding) 102.4.0-1.0.1
	运行在以下环境
	系统	opensuse_Leap_15.3	MozillaThunderbird	*		Up to (excluding) 102.4.0-150200.8.85.1
	运行在以下环境
	系统	opensuse_Leap_15.4	MozillaThunderbird	*		Up to (excluding) 102.4.0-150200.8.85.1
	运行在以下环境
	系统	oracle_7	thunderbird	*		Up to (excluding) 102.4.0-1.0.1.el7_9
	运行在以下环境
	系统	oracle_8	thunderbird	*		Up to (excluding) 102.4.0-1.0.1.el8_6
	运行在以下环境
	系统	oracle_9	thunderbird	*		Up to (excluding) 102.4.0-1.el9_0
	运行在以下环境
	系统	redhat_7	thunderbird	*		Up to (excluding) 102.4.0-1.el7_9
	运行在以下环境
	系统	redhat_8	thunderbird	*		Up to (excluding) 102.4.0-1.el8_6
	运行在以下环境
	系统	redhat_9	thunderbird	*		Up to (excluding) 102.4.0-1.el9_0
	运行在以下环境
	系统	rocky_linux_8	thunderbird	*		Up to (excluding) 102.4.0-1.el8_6
	运行在以下环境
	系统	ubuntu_18.04	thunderbird	*		Up to (excluding) 102.4.2+build2-0ubuntu0.18.04.1
	运行在以下环境
	系统	ubuntu_20.04	thunderbird	*		Up to (excluding) 102.4.2+build2-0ubuntu0.20.04.1
	运行在以下环境
	系统	ubuntu_22.04	thunderbird	*		Up to (excluding) 102.4.2+build2-0ubuntu0.22.04.1
	运行在以下环境
	系统	ubuntu_22.10	thunderbird	*		Up to (excluding) 102.4.2+build2-0ubuntu0.22.10.1

攻击路径

本地
攻击复杂度

困难
权限要求

普通权限
影响范围

有限影响
EXP成熟度

未验证
补丁情况

官方补丁
数据保密性

无影响
数据完整性

N/A
服务器危害

无影响
全网数量

N/A

CWE-ID	漏洞类型
CWE-20	输入验证不恰当
NVD-CWE-noinfo

中危 matrix javascript_sdk 输入验证不恰当

漏洞描述

解决建议

参考链接

受影响软件情况