Description

matrix-react-sdk is react-based software development kit for inserting a Matrix chat/VOIP client into a web page. Starting in version 3.18.0 and before 3.102.0, matrix-react-sdk allows a malicious homeserver to potentially steal message keys for a room when a user invites another user to that room, via injection of a malicious device controlled by the homeserver. This is possible because matrix-react-sdk before 3.102.0 shared historical message keys on invite. Version 3.102.0 fixes this issue by disabling sharing message keys on invite by removing calls to the vulnerable functionality. No known workarounds are available.

INFO

Published Date :

2024-10-15T15:40:37.397Z

Last Modified :

2024-11-21T16:52:42.888Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2024-47824 vulnerability.

Vendors Products
Matrix-react-sdk Project
  • Matrix-react-sdk
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-47824.

URL Resource
https://github.com/matrix-org/matrix-react-sdk/commit/6fc9d7641c51ca3db8225cf58b9d6e6fdd2d6556 cve-icon cve-icon
https://github.com/matrix-org/matrix-react-sdk/pull/12618 cve-icon cve-icon
https://github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-qcvh-p9jq-wp8v cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability