CVE-2022-39251

MITRE NVD CVE.ORG Print: PDF PDF

Summary

CVECVE-2022-39251
StatePUBLIC
Assigner[email protected]
Source PriorityCVE Program / NVD first with legacy fallback
Published2022-09-28 20:15:00 UTC
Updated2022-12-03 01:34:00 UTC
DescriptionMatrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. Prior to version 19.7.0, an attacker cooperating with a malicious homeserver can construct messages that legitimately appear to have come from another person, without any indication such as a grey shield. Additionally, a sophisticated attacker cooperating with a malicious homeserver could employ this vulnerability to perform a targeted attack in order to send fake to-device messages appearing to originate from another user. This can allow, for example, to inject the key backup secret during a self-verification, to make a targeted device start using a malicious key backup spoofed by the homeserver. These attacks are possible due to a protocol confusion vulnerability that accepts to-device messages encrypted with Megolm instead of Olm. Starting with version 19.7.0, matrix-js-sdk has been modified to only accept Olm-encrypted to-device messages. Out of caution, several other checks have been audited or added. This attack requires coordination between a malicious home server and an attacker, so those who trust their home servers do not need a workaround.

Risk And Classification

Problem Types: CWE-287

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Application Matrix Javascript Sdk All All All All

References

ReferenceSourceLinkTags
Olm/Megolm protocol confusion · Advisory · matrix-org/matrix-js-sdk · GitHub CONFIRM github.com
Upgrade now to address E2EE vulnerabilities in matrix-js-sdk, matrix-ios-sdk and matrix-android-sdk2 | Matrix.org MISC matrix.org
Mozilla Thunderbird: Multiple Vulnerabilities (GLSA 202210-35) — Gentoo security GENTOO security.gentoo.org
Release v19.7.0 · matrix-org/matrix-js-sdk · GitHub MISC github.com
Resolve multiple CVEs · matrix-org/matrix-js-sdk@a587d7c · GitHub MISC github.com
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis

Legacy QID Mappings

  • 160177 Oracle Enterprise Linux Security Update for thunderbird (ELSA-2022-7184)
  • 160181 Oracle Enterprise Linux Security Update for thunderbird (ELSA-2022-7178)
  • 160184 Oracle Enterprise Linux Security Update for thunderbird (ELSA-2022-7190)
  • 199024 Ubuntu Security Notification for Thunderbird Vulnerabilities (USN-5724-1)
  • 240784 Red Hat Update for thunderbird (RHSA-2022:7184)
  • 240786 Red Hat Update for thunderbird (RHSA-2022:7190)
  • 240787 Red Hat Update for thunderbird (RHSA-2022:7178)
  • 240791 Red Hat Update for thunderbird (RHSA-2022:7182)
  • 240792 Red Hat Update for thunderbird (RHSA-2022:7181)
  • 354131 Amazon Linux Security Advisory for thunderbird : ALAS2-2022-1900
  • 377612 Mozilla Thunderbird Multiple Vulnerabilities (MFSA2022-43)
  • 502515 Alpine Linux Security Update for riot-web
  • 503177 Alpine Linux Security Update for element-web
  • 506037 Alpine Linux Security Update for element-web
  • 690947 Free Berkeley Software Distribution (FreeBSD) Security Update for matrix clients (cb902a77-3f43-11ed-9402-901b0e9408dc)
  • 710676 Gentoo Linux Mozilla Thunderbird Multiple Vulnerabilities (GLSA 202210-35)
  • 753237 SUSE Enterprise Linux Security Update for MozillaThunderbird (SUSE-SU-2022:3800-1)
  • 940708 AlmaLinux Security Update for thunderbird (ALSA-2022:7190)
  • 940711 AlmaLinux Security Update for thunderbird (ALSA-2022:7178)
  • 960256 Rocky Linux Security Update for thunderbird (RLSA-2022:7190)
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report