What is the severity of CVE-2024-42347?

CVE-2024-42347 has a CVSS score of 4.1, indicating a moderate severity level.

How do I fix CVE-2024-42347?

To fix CVE-2024-42347, upgrade the matrix-react-sdk to version 3.105.1 or later.

What type of vulnerability is CVE-2024-42347?

CVE-2024-42347 is a security vulnerability that allows malicious manipulation of user account data, specifically regarding URL previews in encrypted messages.

What software is affected by CVE-2024-42347?

CVE-2024-42347 affects the matrix-react-sdk version below 3.105.1.

What are the potential risks associated with CVE-2024-42347?

The potential risks of CVE-2024-42347 include unauthorized exposure of URLs in encrypted messages, compromising user privacy.

Vulnerability/
CVE-2024-42347

high

7.7

CWE

359

6/8/2024

12/8/2024

CVE-2024-42347: URL preview setting for a room is controllable by the homeserver in matrix-react-sdk

First published: Tue Aug 06 2024(Updated: )

### Impact A malicious homeserver could manipulate a user's account data to cause the client to enable URL previews in end-to-end encrypted rooms, in which case any URLs in encrypted messages would be sent to the server. Even if the CVSS score would be 4.1 ([AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N&version=3.1)) the maintainer classifies this as High severity issue. ### Patches This was patched in matrix-react-sdk 3.105.1. ### Workarounds Deployments that trust their homeservers, as well as closed federations of trusted servers, are not affected. ### References N/A.

Credit: security-advisories@github.com security-advisories@github.com

Affected Software	Affected Version	How to fix
npm/matrix-react-sdk	<3.105.1	3.105.1
Matrix React SDK	<3.105.1

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2024-42347?
CVE-2024-42347 has a CVSS score of 4.1, indicating a moderate severity level.
How do I fix CVE-2024-42347?
To fix CVE-2024-42347, upgrade the matrix-react-sdk to version 3.105.1 or later.
What type of vulnerability is CVE-2024-42347?
CVE-2024-42347 is a security vulnerability that allows malicious manipulation of user account data, specifically regarding URL previews in encrypted messages.
What software is affected by CVE-2024-42347?
CVE-2024-42347 affects the matrix-react-sdk version below 3.105.1.
What are the potential risks associated with CVE-2024-42347?
The potential risks of CVE-2024-42347 include unauthorized exposure of URLs in encrypted messages, compromising user privacy.

agent/weakness
agent/first-publish-date
agent/title
agent/type
agent/event
agent/references
agent/author
collector/github-advisory-latest
source/GitHub
alias/GHSA-f83w-wqhc-cfp4
alias/CVE-2024-42347
agent/software-canonical-lookup
agent/description
collector/mitre-cve
source/MITRE
agent/severity
agent/last-modified-date
agent/softwarecombine
agent/trending
agent/source
agent/tags
collector/nvd-api
source/NVD
agent/software-canonical-lookup-request
collector/nvd-cve
package-manager/npm
vendor/matrix
canonical/matrix react sdk

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.