CVE-2024-42369

EPSS 0.21%
Published 20.08.2024 15:15:21
Last modified 21.08.2024 16:01:03
Source security-advisories@github.com
Teams watchlist Login
Open Login

matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. A malicious homeserver can craft a room or room structure such that the predecessors form a cycle. The matrix-js-sdk's getRoomUpgradeHistory function will infinitely recurse in this case, causing the code to hang. This method is public but also called by the 'leaveRoomChain()' method, so leaving a room will also trigger the bug. This was patched in matrix-js-sdk 34.3.1.

Affected products Warnungen 0 Metrics 3 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Matrix ≫ Javascript Sdk Version < 34.3.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.21%	0.429

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
security-advisories@github.com	4.1	2.3	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:L

CWE-674 Uncontrolled Recursion

The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

https://github.com/matrix-org/matrix-js-sdk/commit/a0efed8b881b3db6c9f2c71d6a6e74c2828978c6

Patch

https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-vhr5-g3pm-49fm

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-42369

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-42369

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-42369

EUVD