medium
5.3
CWE
20
Advisory Published
Updated

CVE-2022-39236: Matrix Javascript SDK improper beacon events can cause availability issues

First published: Wed Sep 28 2022(Updated: )

Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. Starting with version 17.1.0-rc.1, improperly formed beacon events can disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer's ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer. This is patched in matrix-js-sdk v19.7.0. Redacting applicable events, waiting for the sync processor to store data, and restarting the client are possible workarounds. Alternatively, redacting the applicable events and clearing all storage will fix the further perceived issues. Downgrading to an unaffected version, noting that such a version may be subject to other vulnerabilities, will additionally resolve the issue.

Credit: security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
Mozilla Thunderbird<102.3.1
102.3.1
Matrix Javascript Sdk>=17.1.0<19.7.0
Matrix Javascript Sdk=17.1.0-rc1

Remedy

https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76

Remedy

https://github.com/matrix-org/matrix-spec-proposals/pull/3488

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Peer vulnerabilities

(Found alongside the following vulnerabilities)

Frequently Asked Questions

  • What is CVE-2022-39236?

    CVE-2022-39236 is a vulnerability that affected Thunderbird users who use the Matrix chat protocol, allowing an adversary to cause data corruption issues.

  • Which software is affected by CVE-2022-39236?

    Mozilla Thunderbird version up to 102.3.1 is affected by CVE-2022-39236.

  • How severe is CVE-2022-39236?

    CVE-2022-39236 has a severity level of medium (4 out of 10).

  • How can an adversary exploit CVE-2022-39236?

    An adversary can exploit CVE-2022-39236 by sending specially crafted messages through the Matrix chat protocol to cause data integrity issues.

  • Where can I find more information about CVE-2022-39236?

    You can find more information about CVE-2022-39236 in the references provided: [Mozilla Bugzilla](https://bugzilla.mozilla.org/show_bug.cgi?id=1791765) and [Mozilla Security Advisory](https://www.mozilla.org/en-US/security/advisories/mfsa2022-43/).

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203