Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/39389?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/39389?format=api", "purl": "pkg:npm/matrix-js-sdk@12.4.1", "type": "npm", "namespace": "", "name": "matrix-js-sdk", "version": "12.4.1", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "38.2.0", "latest_non_vulnerable_version": "38.2.0", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/11799?format=api", "vulnerability_id": "VCID-1mm2-4b1k-afat", "summary": "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')\nThe olm_session_describe function in Matrix libolm is vulnerable to a buffer overflow. The Olm session object represents a cryptographic channel between two parties. Therefore, its state is partially controllable by the remote party of the channel. Attackers can construct a crafted sequence of messages to manipulate the state of the receiver's session in such a way that, for some buffer sizes, a buffer overflow happens on a call to olm_session_describe. Furthermore, safe buffer sizes were undocumented. The overflow content is partially controllable by the attacker and limited to ASCII spaces and digits. The known affected products are Element Web And SchildiChat Web.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-44538", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01416", "scoring_system": "epss", "scoring_elements": "0.80586", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.01416", "scoring_system": "epss", "scoring_elements": "0.80503", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.01416", "scoring_system": "epss", "scoring_elements": "0.80578", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.01416", "scoring_system": "epss", "scoring_elements": "0.80564", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.01416", "scoring_system": "epss", "scoring_elements": "0.80556", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.01416", "scoring_system": "epss", "scoring_elements": "0.80585", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.01416", "scoring_system": "epss", "scoring_elements": "0.80509", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.01416", "scoring_system": "epss", "scoring_elements": "0.80531", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.01416", "scoring_system": "epss", "scoring_elements": "0.80521", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.01416", "scoring_system": "epss", "scoring_elements": "0.8055", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.01416", "scoring_system": "epss", "scoring_elements": "0.8056", "published_at": "2026-04-09T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-44538" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38496", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38496" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38500", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38500" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38502", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38502" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38503", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38503" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38504", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38504" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38506", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38506" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38507", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38507" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38508", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38508" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38509", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38509" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4126", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4126" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4129", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4129" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43528", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43528" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43529", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43529" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43534", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43534" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43535", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43535" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43536", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43536" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43537", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43537" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43538", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43538" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43539", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43539" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43541", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43541" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43542", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43542" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43543", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43543" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43545", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43545" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43546", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43546" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44538", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44538" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://gitlab.matrix.org/matrix-org/olm/-/tags", "reference_id": "", "reference_type": "", "scores": [], "url": "https://gitlab.matrix.org/matrix-org/olm/-/tags" }, { "reference_url": "https://matrix.org/blog/2021/12/13/disclosure-buffer-overflow-in-libolm-and-matrix-js-sdk", "reference_id": "", "reference_type": "", "scores": [], "url": "https://matrix.org/blog/2021/12/13/disclosure-buffer-overflow-in-libolm-and-matrix-js-sdk" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001664", "reference_id": "1001664", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001664" }, { "reference_url": "https://security.archlinux.org/AVG-2638", "reference_id": "AVG-2638", "reference_type": "", "scores": [ { "value": "Medium", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2638" }, { "reference_url": "https://security.archlinux.org/AVG-2639", "reference_id": "AVG-2639", "reference_type": "", "scores": [ { "value": "Medium", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2639" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44538", "reference_id": "CVE-2021-44538", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44538" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2021-55", "reference_id": "mfsa2021-55", "reference_type": "", "scores": [ { "value": "none", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2021-55" }, { "reference_url": "https://usn.ubuntu.com/5246-1/", "reference_id": "USN-5246-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/5246-1/" }, { "reference_url": "https://usn.ubuntu.com/5248-1/", "reference_id": "USN-5248-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/5248-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/42295?format=api", "purl": "pkg:npm/matrix-js-sdk@15.2.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6szy-r2cd-9kfw" }, { "vulnerability": "VCID-9747-ab3e-4bbg" }, { "vulnerability": "VCID-9uwh-r958-gyg3" }, { "vulnerability": "VCID-cw2e-p5x2-j7fu" }, { "vulnerability": "VCID-f4t7-jun7-3qh4" }, { "vulnerability": "VCID-fs3v-8fsn-uygj" }, { "vulnerability": "VCID-qetp-58nm-4fes" }, { "vulnerability": "VCID-qxh6-26ps-ykhu" }, { "vulnerability": "VCID-r824-dgt3-wucc" }, { "vulnerability": "VCID-tj5a-r7hy-zfer" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/matrix-js-sdk@15.2.1" } ], "aliases": [ "CVE-2021-44538" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1mm2-4b1k-afat" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/17242?format=api", "vulnerability_id": "VCID-6szy-r2cd-9kfw", "summary": "matrix-js-sdk has insufficient MXC URI validation which allows client-side path traversal\n### Summary\n\nmatrix-js-sdk before 34.11.0 is vulnerable to client-side path traversal via crafted MXC URIs. A malicious room member can trigger clients based on the matrix-js-sdk to issue arbitrary authenticated GET requests to the client's homeserver.\n\n### Details\n\nThe Matrix specification demands homeservers to [perform validation](https://spec.matrix.org/v1.12/client-server-api/#security-considerations-5) of the `server-name` and `media-id` components of MXC URIs with the intent to prevent path traversal. However, it is not mentioned that a similar check must also be performed on the client to prevent *client-side* path traversal. matrix-js-sdk fails to perform this validation.\n\n### Patches\n\nFixed in matrix-js-sdk 34.11.1.\n\n### Workarounds\n\nNone.\n\n### References\n\n- https://spec.matrix.org/v1.12/client-server-api/#security-considerations-5\n- https://blog.doyensec.com/2024/07/02/cspt2csrf.html", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-50336", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00647", "scoring_system": "epss", "scoring_elements": "0.70702", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00877", "scoring_system": "epss", "scoring_elements": "0.75353", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00877", "scoring_system": "epss", "scoring_elements": "0.75346", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00877", "scoring_system": "epss", "scoring_elements": "0.75307", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00877", "scoring_system": "epss", "scoring_elements": "0.7534", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00877", "scoring_system": "epss", "scoring_elements": "0.75318", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00877", "scoring_system": "epss", "scoring_elements": "0.75308", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00877", "scoring_system": "epss", "scoring_elements": "0.75265", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00877", "scoring_system": "epss", "scoring_elements": "0.75288", "published_at": "2026-04-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-50336" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50336", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50336" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/matrix-org/matrix-js-sdk", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/matrix-js-sdk" }, { "reference_url": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-xvg8-m4x3-w6xr", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-12T17:11:23Z/" } ], "url": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-xvg8-m4x3-w6xr" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00004.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00004.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50336", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50336" }, { "reference_url": "https://spec.matrix.org/v1.12/client-server-api/#security-considerations-5", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-12T17:11:23Z/" } ], "url": "https://spec.matrix.org/v1.12/client-server-api/#security-considerations-5" }, { "reference_url": "https://github.com/advisories/GHSA-xvg8-m4x3-w6xr", "reference_id": "GHSA-xvg8-m4x3-w6xr", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-xvg8-m4x3-w6xr" }, { "reference_url": "https://security.gentoo.org/glsa/202505-03", "reference_id": "GLSA-202505-03", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/202505-03" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2024-69", "reference_id": "mfsa2024-69", "reference_type": "", "scores": [ { "value": "none", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2024-69" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2025-04", "reference_id": "mfsa2025-04", "reference_type": "", "scores": [ { "value": "high", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2025-04" }, { "reference_url": "https://usn.ubuntu.com/7991-1/", "reference_id": "USN-7991-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7991-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/57025?format=api", "purl": "pkg:npm/matrix-js-sdk@34.11.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-tj5a-r7hy-zfer" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/matrix-js-sdk@34.11.1" } ], "aliases": [ "CVE-2024-50336", "GHSA-xvg8-m4x3-w6xr" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6szy-r2cd-9kfw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/17227?format=api", "vulnerability_id": "VCID-9747-ab3e-4bbg", "summary": "Missing Authorization\nmatrix-js-sdk is the Matrix Client-Server SDK for JavaScript and TypeScript. An attacker present in a room where an MSC3401 group call is taking place can eavesdrop on the video and audio of participants using matrix-js-sdk, without their knowledge. To affected matrix-js-sdk users, the attacker will not appear to be participating in the call. This attack is possible because matrix-js-sdk's group call implementation accepts incoming direct calls from other users, even if they have not yet declared intent to participate in the group call, as a means of resolving a race condition in call setup. Affected versions do not restrict access to the user's outbound media in this case. Legacy 1:1 calls are unaffected. This is fixed in matrix-js-sdk 24.1.0. As a workaround, users may hold group calls in private rooms where only the exact users who are expected to participate in the call are present.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-29529", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00314", "scoring_system": "epss", "scoring_elements": "0.54578", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00316", "scoring_system": "epss", "scoring_elements": "0.54675", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00316", "scoring_system": "epss", "scoring_elements": "0.54719", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00316", "scoring_system": "epss", "scoring_elements": "0.54667", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00316", "scoring_system": "epss", "scoring_elements": "0.54697", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00316", "scoring_system": "epss", "scoring_elements": "0.5469", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00316", "scoring_system": "epss", "scoring_elements": "0.54711", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00316", "scoring_system": "epss", "scoring_elements": "0.54728", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00316", "scoring_system": "epss", "scoring_elements": "0.54715", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00325", "scoring_system": "epss", "scoring_elements": "0.55564", "published_at": "2026-04-16T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-29529" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29529", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29529" }, { "reference_url": "https://github.com/matrix-org/matrix-js-sdk", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/matrix-js-sdk" }, { "reference_url": "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v24.1.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N" }, { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-06T18:45:25Z/" } ], "url": "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v24.1.0" }, { "reference_url": "https://github.com/matrix-org/matrix-spec-proposals/pull/3401", "reference_id": "", "reference_type": "", "scores": [ { "value": "5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N" }, { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-06T18:45:25Z/" } ], "url": "https://github.com/matrix-org/matrix-spec-proposals/pull/3401" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29529", "reference_id": "CVE-2023-29529", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29529" }, { "reference_url": "https://github.com/advisories/GHSA-6g67-q39g-r79q", "reference_id": "GHSA-6g67-q39g-r79q", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6g67-q39g-r79q" }, { "reference_url": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-6g67-q39g-r79q", "reference_id": "GHSA-6g67-q39g-r79q", "reference_type": "", "scores": [ { "value": "5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N" }, { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-06T18:45:25Z/" } ], "url": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-6g67-q39g-r79q" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/57013?format=api", "purl": "pkg:npm/matrix-js-sdk@24.1.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6szy-r2cd-9kfw" }, { "vulnerability": "VCID-9uwh-r958-gyg3" }, { "vulnerability": "VCID-qetp-58nm-4fes" }, { "vulnerability": "VCID-tj5a-r7hy-zfer" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/matrix-js-sdk@24.1.0" } ], "aliases": [ "CVE-2023-29529", "GHSA-6g67-q39g-r79q" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9747-ab3e-4bbg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/15737?format=api", "vulnerability_id": "VCID-9uwh-r958-gyg3", "summary": "matrix-js-sdk will freeze when a user sets a room with itself as a its predecessor\n### Impact\nA malicious homeserver can craft a room or room structure such that the predecessors form a cycle. The matrix-js-sdk's `getRoomUpgradeHistory` function will infinitely recurse in this case, causing the code to hang. This method is public but also called by the 'leaveRoomChain()' method, so leaving a room will also trigger the bug.\n\nEven if the CVSS score would be 4.1 ([AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:L](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:L&version=3.1)) we classify this as High severity issue.\n\n### Patches\nThis was patched in matrix-js-sdk 34.3.1.\n\n### Workarounds\nSanity check rooms before passing them to the matrix-js-sdk or avoid calling either `getRoomUpgradeHistory` or `leaveRoomChain`.\n\n### References\nN/A.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-42369", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00205", "scoring_system": "epss", "scoring_elements": "0.42638", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00205", "scoring_system": "epss", "scoring_elements": "0.42685", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00205", "scoring_system": "epss", "scoring_elements": "0.42699", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00205", "scoring_system": "epss", "scoring_elements": "0.42639", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00205", "scoring_system": "epss", "scoring_elements": "0.42656", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00205", "scoring_system": "epss", "scoring_elements": "0.42693", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00205", "scoring_system": "epss", "scoring_elements": "0.42669", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00205", "scoring_system": "epss", "scoring_elements": "0.42658", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00205", "scoring_system": "epss", "scoring_elements": "0.42606", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00205", "scoring_system": "epss", "scoring_elements": "0.42666", "published_at": "2026-04-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-42369" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42369", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42369" }, { "reference_url": "https://github.com/matrix-org/matrix-js-sdk", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:L" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/matrix-js-sdk" }, { "reference_url": "https://github.com/matrix-org/matrix-js-sdk/commit/a0efed8b881b3db6c9f2c71d6a6e74c2828978c6", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:L" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-21T14:41:11Z/" } ], "url": "https://github.com/matrix-org/matrix-js-sdk/commit/a0efed8b881b3db6c9f2c71d6a6e74c2828978c6" }, { "reference_url": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-vhr5-g3pm-49fm", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-21T14:41:11Z/" } ], "url": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-vhr5-g3pm-49fm" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42369", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:L" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42369" }, { "reference_url": "https://github.com/advisories/GHSA-vhr5-g3pm-49fm", "reference_id": "GHSA-vhr5-g3pm-49fm", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vhr5-g3pm-49fm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/54939?format=api", "purl": "pkg:npm/matrix-js-sdk@34.3.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6szy-r2cd-9kfw" }, { "vulnerability": "VCID-qetp-58nm-4fes" }, { "vulnerability": "VCID-tj5a-r7hy-zfer" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/matrix-js-sdk@34.3.1" } ], "aliases": [ "CVE-2024-42369", "GHSA-vhr5-g3pm-49fm" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9uwh-r958-gyg3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/16963?format=api", "vulnerability_id": "VCID-cw2e-p5x2-j7fu", "summary": "Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')\nmatrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. In versions prior to 19.4.0 events sent with special strings in key places can temporarily disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer's ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer. This issue has been fixed in matrix-js-sdk 19.4.0 and users are advised to upgrade. Users unable to upgrade may mitigate this issue by redacting applicable events, waiting for the sync processor to store data, and restarting the client. Alternatively, redacting the applicable events and clearing all storage will often fix most perceived issues. In some cases, no workarounds are possible.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-36059.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-36059.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-36059", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00567", "scoring_system": "epss", "scoring_elements": "0.68538", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00567", "scoring_system": "epss", "scoring_elements": "0.68525", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00567", "scoring_system": "epss", "scoring_elements": "0.68486", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00567", "scoring_system": "epss", "scoring_elements": "0.68518", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00567", "scoring_system": "epss", "scoring_elements": "0.6853", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00567", "scoring_system": "epss", "scoring_elements": "0.68504", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00567", "scoring_system": "epss", "scoring_elements": "0.68487", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00567", "scoring_system": "epss", "scoring_elements": "0.68437", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00567", "scoring_system": "epss", "scoring_elements": "0.68441", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00567", "scoring_system": "epss", "scoring_elements": "0.6846", "published_at": "2026-04-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-36059" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36059", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36059" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/matrix-org/matrix-js-sdk", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/matrix-js-sdk" }, { "reference_url": "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.4.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.4.0" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1018970", "reference_id": "1018970", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1018970" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2123258", "reference_id": "2123258", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2123258" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36059", "reference_id": "CVE-2022-36059", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36059" }, { "reference_url": "https://github.com/advisories/GHSA-rfv9-x7hh-xc32", "reference_id": "GHSA-rfv9-x7hh-xc32", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-rfv9-x7hh-xc32" }, { "reference_url": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-rfv9-x7hh-xc32", "reference_id": "GHSA-rfv9-x7hh-xc32", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N" }, { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-18T20:05:25Z/" } ], "url": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-rfv9-x7hh-xc32" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2022-38", "reference_id": "mfsa2022-38", "reference_type": "", "scores": [ { "value": "high", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2022-38" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:6708", "reference_id": "RHSA-2022:6708", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:6708" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:6710", "reference_id": "RHSA-2022:6710", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:6710" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:6713", "reference_id": "RHSA-2022:6713", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:6713" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:6715", "reference_id": "RHSA-2022:6715", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:6715" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:6716", "reference_id": "RHSA-2022:6716", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:6716" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:6717", "reference_id": "RHSA-2022:6717", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:6717" }, { "reference_url": "https://usn.ubuntu.com/5663-1/", "reference_id": "USN-5663-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/5663-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/56638?format=api", "purl": "pkg:npm/matrix-js-sdk@19.4.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6szy-r2cd-9kfw" }, { "vulnerability": "VCID-9747-ab3e-4bbg" }, { "vulnerability": "VCID-9uwh-r958-gyg3" }, { "vulnerability": "VCID-f2y6-j23h-ryb3" }, { "vulnerability": "VCID-f4t7-jun7-3qh4" }, { "vulnerability": "VCID-fs3v-8fsn-uygj" }, { "vulnerability": "VCID-qetp-58nm-4fes" }, { "vulnerability": "VCID-qxh6-26ps-ykhu" }, { "vulnerability": "VCID-r824-dgt3-wucc" }, { "vulnerability": "VCID-tj5a-r7hy-zfer" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/matrix-js-sdk@19.4.0" } ], "aliases": [ "CVE-2022-36059", "GHSA-rfv9-x7hh-xc32" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cw2e-p5x2-j7fu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50241?format=api", "vulnerability_id": "VCID-f4t7-jun7-3qh4", "summary": "Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in arbitrary code execution.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-39250.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-39250.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-39250", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00338", "scoring_system": "epss", "scoring_elements": "0.56658", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00338", "scoring_system": "epss", "scoring_elements": "0.56628", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00338", "scoring_system": "epss", "scoring_elements": "0.56649", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00338", "scoring_system": "epss", "scoring_elements": "0.56674", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00338", "scoring_system": "epss", "scoring_elements": "0.56665", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00338", "scoring_system": "epss", "scoring_elements": "0.5666", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00338", "scoring_system": "epss", "scoring_elements": "0.5663", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00338", "scoring_system": "epss", "scoring_elements": "0.56609", "published_at": "2026-04-07T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-39250" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39250", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39250" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/matrix-org/matrix-js-sdk", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/matrix-js-sdk" }, { "reference_url": "https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:50:35Z/" } ], "url": "https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76" }, { "reference_url": "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.7.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:50:35Z/" } ], "url": "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.7.0" }, { "reference_url": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-5w8r-8pgj-5jmf", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:50:35Z/" } ], "url": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-5w8r-8pgj-5jmf" }, { "reference_url": "https://matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:50:35Z/" } ], "url": "https://matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39250", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39250" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021136", "reference_id": "1021136", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021136" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135395", "reference_id": "2135395", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135395" }, { "reference_url": "https://github.com/advisories/GHSA-5w8r-8pgj-5jmf", "reference_id": "GHSA-5w8r-8pgj-5jmf", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5w8r-8pgj-5jmf" }, { "reference_url": "https://security.gentoo.org/glsa/202210-35", "reference_id": "GLSA-202210-35", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:50:35Z/" } ], "url": "https://security.gentoo.org/glsa/202210-35" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2022-43", "reference_id": "mfsa2022-43", "reference_type": "", "scores": [ { "value": "high", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2022-43" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:7178", "reference_id": "RHSA-2022:7178", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:7178" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:7181", "reference_id": "RHSA-2022:7181", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:7181" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:7182", "reference_id": "RHSA-2022:7182", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:7182" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:7183", "reference_id": "RHSA-2022:7183", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:7183" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:7184", "reference_id": "RHSA-2022:7184", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:7184" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:7190", "reference_id": "RHSA-2022:7190", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:7190" }, { "reference_url": "https://usn.ubuntu.com/5724-1/", "reference_id": "USN-5724-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/5724-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/79985?format=api", "purl": "pkg:npm/matrix-js-sdk@19.7.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6szy-r2cd-9kfw" }, { "vulnerability": "VCID-9747-ab3e-4bbg" }, { "vulnerability": "VCID-9uwh-r958-gyg3" }, { "vulnerability": "VCID-fs3v-8fsn-uygj" }, { "vulnerability": "VCID-qetp-58nm-4fes" }, { "vulnerability": "VCID-tj5a-r7hy-zfer" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/matrix-js-sdk@19.7.0" } ], "aliases": [ "CVE-2022-39250", "GHSA-5w8r-8pgj-5jmf" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-f4t7-jun7-3qh4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/16959?format=api", "vulnerability_id": "VCID-fs3v-8fsn-uygj", "summary": "Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')\nmatrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. In versions prior to 24.0.0 events sent with special strings in key places can temporarily disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer's ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer. This vulnerability is distinct from GHSA-rfv9-x7hh-xc32 which covers a similar issue. The issue has been patched in matrix-js-sdk 24.0.0 and users are advised to upgrade. There are no known workarounds for this vulnerability.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-28427.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-28427.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-28427", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00359", "scoring_system": "epss", "scoring_elements": "0.58065", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00359", "scoring_system": "epss", "scoring_elements": "0.58061", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00359", "scoring_system": "epss", "scoring_elements": "0.58086", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00359", "scoring_system": "epss", "scoring_elements": "0.58092", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00359", "scoring_system": "epss", "scoring_elements": "0.58112", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00359", "scoring_system": "epss", "scoring_elements": "0.58135", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00359", "scoring_system": "epss", "scoring_elements": "0.58119", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00359", "scoring_system": "epss", "scoring_elements": "0.58116", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00435", "scoring_system": "epss", "scoring_elements": "0.62906", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00435", "scoring_system": "epss", "scoring_elements": "0.62913", "published_at": "2026-04-18T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-28427" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0547", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0547" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1945", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1945" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1999", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1999" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28427", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28427" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29479", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29479" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29533", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29533" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29535", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29535" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29536", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29536" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29539", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29539" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29541", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29541" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29548", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29548" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29550", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29550" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/matrix-org/matrix-js-sdk", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/matrix-js-sdk" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00027.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-18T20:03:37Z/" } ], "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00027.html" }, { "reference_url": "https://matrix.org/blog/2023/03/28/security-releases-matrix-js-sdk-24-0-0-and-matrix-react-sdk-3-69-0", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-18T20:03:37Z/" } ], "url": "https://matrix.org/blog/2023/03/28/security-releases-matrix-js-sdk-24-0-0-and-matrix-react-sdk-3-69-0" }, { "reference_url": "https://security.gentoo.org/glsa/202305-36", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-18T20:03:37Z/" } ], "url": "https://security.gentoo.org/glsa/202305-36" }, { "reference_url": "https://www.debian.org/security/2023/dsa-5392", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-18T20:03:37Z/" } ], "url": "https://www.debian.org/security/2023/dsa-5392" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033621", "reference_id": "1033621", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033621" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2183278", "reference_id": "2183278", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2183278" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28427", "reference_id": "CVE-2023-28427", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28427" }, { "reference_url": "https://github.com/advisories/GHSA-mwq8-fjpf-c2gr", "reference_id": "GHSA-mwq8-fjpf-c2gr", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mwq8-fjpf-c2gr" }, { "reference_url": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-mwq8-fjpf-c2gr", "reference_id": "GHSA-mwq8-fjpf-c2gr", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-18T20:03:37Z/" } ], "url": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-mwq8-fjpf-c2gr" }, { "reference_url": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-rfv9-x7hh-xc32", "reference_id": "GHSA-rfv9-x7hh-xc32", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-rfv9-x7hh-xc32" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2023-12", "reference_id": "mfsa2023-12", "reference_type": "", "scores": [ { "value": "high", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2023-12" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:1802", "reference_id": "RHSA-2023:1802", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:1802" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:1803", "reference_id": "RHSA-2023:1803", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:1803" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:1804", "reference_id": "RHSA-2023:1804", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:1804" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:1805", "reference_id": "RHSA-2023:1805", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:1805" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:1806", "reference_id": "RHSA-2023:1806", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:1806" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:1809", "reference_id": "RHSA-2023:1809", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:1809" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:1810", "reference_id": "RHSA-2023:1810", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:1810" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:1811", "reference_id": "RHSA-2023:1811", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:1811" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/56633?format=api", "purl": "pkg:npm/matrix-js-sdk@24.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6szy-r2cd-9kfw" }, { "vulnerability": "VCID-9747-ab3e-4bbg" }, { "vulnerability": "VCID-9uwh-r958-gyg3" }, { "vulnerability": "VCID-qetp-58nm-4fes" }, { "vulnerability": "VCID-tj5a-r7hy-zfer" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/matrix-js-sdk@24.0.0" } ], "aliases": [ "CVE-2023-28427", "GHSA-mwq8-fjpf-c2gr" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fs3v-8fsn-uygj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/12506?format=api", "vulnerability_id": "VCID-qetp-58nm-4fes", "summary": "Matrix JavaScript SDK's key history sharing could share keys to malicious devices\n### Impact\nIn matrix-js-sdk versions 9.11.0 through 34.7.0, the method `MatrixClient.sendSharedHistoryKeys` is vulnerable to interception by malicious homeservers. The method implements functionality proposed in [MSC3061](https://github.com/matrix-org/matrix-spec-proposals/pull/3061) and can be used by clients to share historical message keys with newly invited users, granting them access to past messages in the room.\n\nHowever, it unconditionally sends these \"shared\" keys to all of the invited user's devices, regardless of whether the user's cryptographic identity is verified or whether the user's devices are signed by that identity. This allows the attacker to potentially inject its own devices to receive sensitive historical keys without proper security checks.\n\nNote that this only affects clients running the SDK with the legacy crypto stack. Clients using the new Rust cryptography stack (i.e. those that call `MatrixClient.initRustCrypto()` instead of `MatrixClient.initCrypto()`) are unaffected by this vulnerability, because `MatrixClient.sendSharedHistoryKeys()` raises an exception in such environments.\n\n### Patches\nFixed in matrix-js-sdk 34.8.0 by removing the vulnerable functionality.\n\n### Workarounds\nRemove use of affected functionality from clients.\n\n### References\n- [MSC3061](https://github.com/matrix-org/matrix-spec-proposals/pull/3061)\n\n### For more information\nIf you have any questions or comments about this advisory, please email us at [security at matrix.org](mailto:security@matrix.org).", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-47080", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0058", "scoring_system": "epss", "scoring_elements": "0.68933", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.0058", "scoring_system": "epss", "scoring_elements": "0.68853", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.0058", "scoring_system": "epss", "scoring_elements": "0.68923", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.0058", "scoring_system": "epss", "scoring_elements": "0.68882", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.0058", "scoring_system": "epss", "scoring_elements": "0.68911", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.0058", "scoring_system": "epss", "scoring_elements": "0.68926", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.0058", "scoring_system": "epss", "scoring_elements": "0.68834", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.0058", "scoring_system": "epss", "scoring_elements": "0.68884", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.0058", "scoring_system": "epss", "scoring_elements": "0.68833", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.0058", "scoring_system": "epss", "scoring_elements": "0.68903", "published_at": "2026-04-09T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-47080" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47080", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47080" }, { "reference_url": "https://github.com/matrix-org/matrix-js-sdk", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/matrix-js-sdk" }, { "reference_url": "https://github.com/matrix-org/matrix-js-sdk/commit/2fb1e659c81f75253c047832dc9dcc2beddfac5f", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-15T17:34:15Z/" } ], "url": "https://github.com/matrix-org/matrix-js-sdk/commit/2fb1e659c81f75253c047832dc9dcc2beddfac5f" }, { "reference_url": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-4jf8-g8wp-cx7c", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-15T17:34:15Z/" } ], "url": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-4jf8-g8wp-cx7c" }, { "reference_url": "https://github.com/matrix-org/matrix-spec-proposals/pull/3061", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-15T17:34:15Z/" } ], "url": "https://github.com/matrix-org/matrix-spec-proposals/pull/3061" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47080", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47080" }, { "reference_url": "https://github.com/advisories/GHSA-4jf8-g8wp-cx7c", "reference_id": "GHSA-4jf8-g8wp-cx7c", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4jf8-g8wp-cx7c" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/44772?format=api", "purl": "pkg:npm/matrix-js-sdk@34.8.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6szy-r2cd-9kfw" }, { "vulnerability": "VCID-tj5a-r7hy-zfer" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/matrix-js-sdk@34.8.0" } ], "aliases": [ "CVE-2024-47080", "GHSA-4jf8-g8wp-cx7c" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qetp-58nm-4fes" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50240?format=api", "vulnerability_id": "VCID-qxh6-26ps-ykhu", "summary": "Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in arbitrary code execution.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-39249.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-39249.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-39249", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00478", "scoring_system": "epss", "scoring_elements": "0.64957", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00478", "scoring_system": "epss", "scoring_elements": "0.65037", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00478", "scoring_system": "epss", "scoring_elements": "0.65028", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00478", "scoring_system": "epss", "scoring_elements": "0.6499", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00478", "scoring_system": "epss", "scoring_elements": "0.65018", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00478", "scoring_system": "epss", "scoring_elements": "0.64984", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00478", "scoring_system": "epss", "scoring_elements": "0.65029", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00478", "scoring_system": "epss", "scoring_elements": "0.65011", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00478", "scoring_system": "epss", "scoring_elements": "0.64996", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00478", "scoring_system": "epss", "scoring_elements": "0.64946", "published_at": "2026-04-07T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-39249" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39249", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39249" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/matrix-org/matrix-js-sdk", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/matrix-js-sdk" }, { "reference_url": "https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:51:04Z/" } ], "url": "https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76" }, { "reference_url": "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.7.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:51:04Z/" } ], "url": "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.7.0" }, { "reference_url": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-6263-x97c-c4gg", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:51:04Z/" } ], "url": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-6263-x97c-c4gg" }, { "reference_url": "https://github.com/matrix-org/matrix-spec-proposals/pull/3061", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:51:04Z/" } ], "url": "https://github.com/matrix-org/matrix-spec-proposals/pull/3061" }, { "reference_url": "https://matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:51:04Z/" } ], "url": "https://matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39249", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39249" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021136", "reference_id": "1021136", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021136" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135393", "reference_id": "2135393", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135393" }, { "reference_url": "https://github.com/advisories/GHSA-6263-x97c-c4gg", "reference_id": "GHSA-6263-x97c-c4gg", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6263-x97c-c4gg" }, { "reference_url": "https://security.gentoo.org/glsa/202210-35", "reference_id": "GLSA-202210-35", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:51:04Z/" } ], "url": "https://security.gentoo.org/glsa/202210-35" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2022-43", "reference_id": "mfsa2022-43", "reference_type": "", "scores": [ { "value": "high", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2022-43" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:7178", "reference_id": "RHSA-2022:7178", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:7178" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:7181", "reference_id": "RHSA-2022:7181", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:7181" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:7182", "reference_id": "RHSA-2022:7182", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:7182" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:7183", "reference_id": "RHSA-2022:7183", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:7183" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:7184", "reference_id": "RHSA-2022:7184", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:7184" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:7190", "reference_id": "RHSA-2022:7190", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:7190" }, { "reference_url": "https://usn.ubuntu.com/5724-1/", "reference_id": "USN-5724-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/5724-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/79985?format=api", "purl": "pkg:npm/matrix-js-sdk@19.7.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6szy-r2cd-9kfw" }, { "vulnerability": "VCID-9747-ab3e-4bbg" }, { "vulnerability": "VCID-9uwh-r958-gyg3" }, { "vulnerability": "VCID-fs3v-8fsn-uygj" }, { "vulnerability": "VCID-qetp-58nm-4fes" }, { "vulnerability": "VCID-tj5a-r7hy-zfer" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/matrix-js-sdk@19.7.0" } ], "aliases": [ "CVE-2022-39249", "GHSA-6263-x97c-c4gg" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qxh6-26ps-ykhu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50242?format=api", "vulnerability_id": "VCID-r824-dgt3-wucc", "summary": "Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in arbitrary code execution.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-39251.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-39251.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-39251", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00364", "scoring_system": "epss", "scoring_elements": "0.58497", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00364", "scoring_system": "epss", "scoring_elements": "0.58493", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00364", "scoring_system": "epss", "scoring_elements": "0.58462", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00364", "scoring_system": "epss", "scoring_elements": "0.58481", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00364", "scoring_system": "epss", "scoring_elements": "0.58501", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00364", "scoring_system": "epss", "scoring_elements": "0.58483", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00364", "scoring_system": "epss", "scoring_elements": "0.58477", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00364", "scoring_system": "epss", "scoring_elements": "0.58424", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00364", "scoring_system": "epss", "scoring_elements": "0.5845", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00364", "scoring_system": "epss", "scoring_elements": "0.5843", "published_at": "2026-04-02T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-39251" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39251", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39251" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/matrix-org/matrix-js-sdk", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/matrix-js-sdk" }, { "reference_url": "https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:51:00Z/" } ], "url": "https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76" }, { "reference_url": "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.7.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:51:00Z/" } ], "url": "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.7.0" }, { "reference_url": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-r48r-j8fx-mq2c", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:51:00Z/" } ], "url": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-r48r-j8fx-mq2c" }, { "reference_url": "https://matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:51:00Z/" } ], "url": "https://matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39251", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39251" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021136", "reference_id": "1021136", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021136" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135396", "reference_id": "2135396", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135396" }, { "reference_url": "https://github.com/advisories/GHSA-r48r-j8fx-mq2c", "reference_id": "GHSA-r48r-j8fx-mq2c", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-r48r-j8fx-mq2c" }, { "reference_url": "https://security.gentoo.org/glsa/202210-35", "reference_id": "GLSA-202210-35", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:51:00Z/" } ], "url": "https://security.gentoo.org/glsa/202210-35" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2022-43", "reference_id": "mfsa2022-43", "reference_type": "", "scores": [ { "value": "high", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2022-43" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:7178", "reference_id": "RHSA-2022:7178", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:7178" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:7181", "reference_id": "RHSA-2022:7181", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:7181" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:7182", "reference_id": "RHSA-2022:7182", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:7182" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:7183", "reference_id": "RHSA-2022:7183", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:7183" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:7184", "reference_id": "RHSA-2022:7184", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:7184" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:7190", "reference_id": "RHSA-2022:7190", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:7190" }, { "reference_url": "https://usn.ubuntu.com/5724-1/", "reference_id": "USN-5724-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/5724-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/79985?format=api", "purl": "pkg:npm/matrix-js-sdk@19.7.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6szy-r2cd-9kfw" }, { "vulnerability": "VCID-9747-ab3e-4bbg" }, { "vulnerability": "VCID-9uwh-r958-gyg3" }, { "vulnerability": "VCID-fs3v-8fsn-uygj" }, { "vulnerability": "VCID-qetp-58nm-4fes" }, { "vulnerability": "VCID-tj5a-r7hy-zfer" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/matrix-js-sdk@19.7.0" } ], "aliases": [ "CVE-2022-39251", "GHSA-r48r-j8fx-mq2c" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-r824-dgt3-wucc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/21214?format=api", "vulnerability_id": "VCID-tj5a-r7hy-zfer", "summary": "matrix-js-sdk has insufficient validation when considering a room to be upgraded by another\nmatrix-js-sdk before 38.2.0 has insufficient validation of room predecessor links in `MatrixClient::getJoinedRooms`, allowing a remote attacker to attempt to replace a tombstoned room with an unrelated attacker-supplied room.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-59160", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00079", "scoring_system": "epss", "scoring_elements": "0.23658", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00079", "scoring_system": "epss", "scoring_elements": "0.23575", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00079", "scoring_system": "epss", "scoring_elements": "0.23557", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00079", "scoring_system": "epss", "scoring_elements": "0.23508", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00079", "scoring_system": "epss", "scoring_elements": "0.23437", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00079", "scoring_system": "epss", "scoring_elements": "0.2362", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00085", "scoring_system": "epss", "scoring_elements": "0.24658", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00085", "scoring_system": "epss", "scoring_elements": "0.24665", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00085", "scoring_system": "epss", "scoring_elements": "0.24652", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00085", "scoring_system": "epss", "scoring_elements": "0.2471", "published_at": "2026-04-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-59160" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59160", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59160" }, { "reference_url": "https://github.com/matrix-org/matrix-js-sdk", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/matrix-js-sdk" }, { "reference_url": "https://github.com/matrix-org/matrix-js-sdk/commit/43c72d5bf5e2d0a26b3b4f71092e7cb39d4137c4", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-16T17:29:36Z/" } ], "url": "https://github.com/matrix-org/matrix-js-sdk/commit/43c72d5bf5e2d0a26b3b4f71092e7cb39d4137c4" }, { "reference_url": "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v38.2.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v38.2.0" }, { "reference_url": "https://www.npmjs.com/package/matrix-js-sdk/v/38.2.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.npmjs.com/package/matrix-js-sdk/v/38.2.0" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59160", "reference_id": "CVE-2025-59160", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59160" }, { "reference_url": "https://github.com/advisories/GHSA-mp7c-m3rh-r56v", "reference_id": "GHSA-mp7c-m3rh-r56v", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mp7c-m3rh-r56v" }, { "reference_url": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-mp7c-m3rh-r56v", "reference_id": "GHSA-mp7c-m3rh-r56v", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-16T17:29:36Z/" } ], "url": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-mp7c-m3rh-r56v" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/63365?format=api", "purl": "pkg:npm/matrix-js-sdk@38.2.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/matrix-js-sdk@38.2.0" } ], "aliases": [ "CVE-2025-59160", "GHSA-mp7c-m3rh-r56v" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-tj5a-r7hy-zfer" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/11226?format=api", "vulnerability_id": "VCID-xewe-wx57-3yfd", "summary": "Use of a Broken or Risky Cryptographic Algorithm\nThere is a logic error in the room key sharing functionality of matrix-js-sdk (aka Matrix Javascript SDK). This allows the homeserver to decrypt end-to-end encrypted messages sent by affected clients.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-40823", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00261", "scoring_system": "epss", "scoring_elements": "0.49447", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00261", "scoring_system": "epss", "scoring_elements": "0.49541", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00261", "scoring_system": "epss", "scoring_elements": "0.49543", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00261", "scoring_system": "epss", "scoring_elements": "0.49496", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00261", "scoring_system": "epss", "scoring_elements": "0.49494", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00261", "scoring_system": "epss", "scoring_elements": "0.49522", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00261", "scoring_system": "epss", "scoring_elements": "0.49505", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00261", "scoring_system": "epss", "scoring_elements": "0.49502", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00261", "scoring_system": "epss", "scoring_elements": "0.49476", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00261", "scoring_system": "epss", "scoring_elements": "0.4951", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00261", "scoring_system": "epss", "scoring_elements": "0.49455", "published_at": "2026-04-07T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-40823" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40823", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40823" }, { "reference_url": "https://github.com/matrix-org/matrix-js-sdk", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/matrix-js-sdk" }, { "reference_url": "https://github.com/matrix-org/matrix-js-sdk/commit/894c24880da0e1cc81818f51c0db80e3c9fb2be9", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/matrix-js-sdk/commit/894c24880da0e1cc81818f51c0db80e3c9fb2be9" }, { "reference_url": "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v12.4.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v12.4.1" }, { "reference_url": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-23cm-x6j7-6hq3", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-23cm-x6j7-6hq3" }, { "reference_url": "https://matrix.org/blog/2021/09/13/vulnerability-disclosure-key-sharing", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://matrix.org/blog/2021/09/13/vulnerability-disclosure-key-sharing" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=994213", "reference_id": "994213", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=994213" }, { "reference_url": "https://security.archlinux.org/ASA-202109-4", "reference_id": "ASA-202109-4", "reference_type": "", "scores": [], "url": "https://security.archlinux.org/ASA-202109-4" }, { "reference_url": "https://security.archlinux.org/ASA-202109-5", "reference_id": "ASA-202109-5", "reference_type": "", "scores": [], "url": "https://security.archlinux.org/ASA-202109-5" }, { "reference_url": "https://security.archlinux.org/AVG-2377", "reference_id": "AVG-2377", "reference_type": "", "scores": [ { "value": "High", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2377" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40823", "reference_id": "CVE-2021-40823", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40823" }, { "reference_url": "https://github.com/advisories/GHSA-23cm-x6j7-6hq3", "reference_id": "GHSA-23cm-x6j7-6hq3", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-23cm-x6j7-6hq3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39389?format=api", "purl": "pkg:npm/matrix-js-sdk@12.4.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1mm2-4b1k-afat" }, { "vulnerability": "VCID-6szy-r2cd-9kfw" }, { "vulnerability": "VCID-9747-ab3e-4bbg" }, { "vulnerability": "VCID-9uwh-r958-gyg3" }, { "vulnerability": "VCID-cw2e-p5x2-j7fu" }, { "vulnerability": "VCID-f4t7-jun7-3qh4" }, { "vulnerability": "VCID-fs3v-8fsn-uygj" }, { "vulnerability": "VCID-qetp-58nm-4fes" }, { "vulnerability": "VCID-qxh6-26ps-ykhu" }, { "vulnerability": "VCID-r824-dgt3-wucc" }, { "vulnerability": "VCID-tj5a-r7hy-zfer" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/matrix-js-sdk@12.4.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/261277?format=api", "purl": "pkg:npm/matrix-js-sdk@12.5.0-rc.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1mm2-4b1k-afat" }, { "vulnerability": "VCID-6szy-r2cd-9kfw" }, { "vulnerability": "VCID-9747-ab3e-4bbg" }, { "vulnerability": "VCID-9uwh-r958-gyg3" }, { "vulnerability": "VCID-cw2e-p5x2-j7fu" }, { "vulnerability": "VCID-f4t7-jun7-3qh4" }, { "vulnerability": "VCID-fs3v-8fsn-uygj" }, { "vulnerability": "VCID-qetp-58nm-4fes" }, { "vulnerability": "VCID-qxh6-26ps-ykhu" }, { "vulnerability": "VCID-r824-dgt3-wucc" }, { "vulnerability": "VCID-tj5a-r7hy-zfer" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/matrix-js-sdk@12.5.0-rc.1" } ], "aliases": [ "CVE-2021-40823", "GHSA-23cm-x6j7-6hq3" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xewe-wx57-3yfd" } ], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/matrix-js-sdk@12.4.1" }