阿里云漏洞库

漏洞描述

matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. In versions prior to 24.0.0 events sent with special strings in key places can temporarily disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer's ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer. This vulnerability is distinct from GHSA-rfv9-x7hh-xc32 which covers a similar issue. The issue has been patched in matrix-js-sdk 24.0.0 and users are advised to upgrade. There are no known workarounds for this vulnerability.

解决建议

建议您更新当前系统或软件至最新版，完成漏洞的修复。

参考链接
https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-mwq8-fjpf-c2gr
https://lists.debian.org/debian-lts-announce/2023/04/msg00027.html
https://matrix.org/blog/2023/03/28/security-releases-matrix-js-sdk-24-0-0-and...
https://security.gentoo.org/glsa/202305-36
https://www.debian.org/security/2023/dsa-5392

受影响软件情况

1
#	类型	厂商	产品	版本	影响面
	运行在以下环境
	应用	matrix	javascript_sdk	*		Up to (excluding) 24.0.0
	运行在以下环境
	系统	alma_linux_8	thunderbird	*		Up to (excluding) 102.10.0-2.el8_7.alma
	运行在以下环境
	系统	alma_linux_9	thunderbird	*		Up to (excluding) 102.10.0-2.el9_1.alma
	运行在以下环境
	系统	alpine_3.17	riot-web	*		Up to (excluding) 1.11.26-r0
	运行在以下环境
	系统	alpine_3.18	element-web	*		Up to (excluding) 1.11.26-r0
	运行在以下环境
	系统	alpine_3.19	element-web	*		Up to (excluding) 1.11.26-r0
	运行在以下环境
	系统	anolis_os_7	thunderbird	*		Up to (excluding) 102.10.0-2.0.1
	运行在以下环境
	系统	anolis_os_8	thunderbird	*		Up to (excluding) 102.10.0-2.0.1
	运行在以下环境
	系统	centos_7	thunderbird	*		Up to (excluding) 102.10.0-2.el7.centos
	运行在以下环境
	系统	debian_12	thunderbird	*		Up to (excluding) 102.9.1-1
	运行在以下环境
	系统	opensuse_Leap_15.4	MozillaThunderbird	*		Up to (excluding) 102.9.1-150200.8.110.2
	运行在以下环境
	系统	oracle_7	thunderbird	*		Up to (excluding) 102.10.0-2.0.1.el7_9
	运行在以下环境
	系统	oracle_8	thunderbird	*		Up to (excluding) 102.10.0-2.0.1.el8_7
	运行在以下环境
	系统	oracle_9	thunderbird	*		Up to (excluding) 102.10.0-2.0.1.el9_1
	运行在以下环境
	系统	redhat_7	thunderbird	*		Up to (excluding) 102.10.0-2.el7_9
	运行在以下环境
	系统	redhat_8	thunderbird	*		Up to (excluding) 102.10.0-2.el8_7
	运行在以下环境
	系统	redhat_9	thunderbird	*		Up to (excluding) 102.10.0-2.el9_1
	运行在以下环境
	系统	rocky_linux_8	thunderbird	*		Up to (excluding) 102.10.0-2.el8_7
	运行在以下环境
	系统	rocky_linux_9	thunderbird	*		Up to (excluding) 102.10.0-2.el9_1

攻击路径

本地
攻击复杂度

复杂
权限要求

普通权限
影响范围

越权影响
EXP成熟度

未验证
补丁情况

官方补丁
数据保密性

数据泄露
数据完整性

无影响
服务器危害

无影响
全网数量

N/A

CWE-ID	漏洞类型
CWE-1321	Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

中危 Matrix-org Matrix-js-sdk 原型污染漏洞(CVE-2023-28427)

漏洞描述

解决建议

参考链接

受影响软件情况