CVE-2023-28103
Summary
| CVE | CVE-2023-28103 |
|---|
| State | PUBLIC |
|---|
| Assigner | [email protected] |
|---|
| Source Priority | CVE Program / NVD first with legacy fallback |
|---|
| Published | 2023-03-28 21:15:00 UTC |
|---|
| Updated | 2023-04-05 01:09:00 UTC |
|---|
| Description | matrix-react-sdk is a Matrix chat protocol SDK for React Javascript. In certain configurations, data sent by remote servers containing special strings in key locations could cause modifications of the `Object.prototype`, disrupting matrix-react-sdk functionality, causing denial of service and potentially affecting program logic. This is fixed in matrix-react-sdk 3.69.0 and users are advised to upgrade. There are no known workarounds for this vulnerability. Note this advisory is distinct from GHSA-2x9c-qwgf-94xr which refers to a similar issue. |
|---|
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|
| Prototype pollution in matrix-react-sdk (part 2) · Advisory · matrix-org/matrix-react-sdk · GitHub |
MISC |
github.com |
|
| Security releases: matrix-js-sdk 24.0.0 and matrix-react-sdk 3.69.0 | Matrix.org |
MISC |
matrix.org |
|
| CVE Program record |
CVE.ORG |
www.cve.org |
canonical |
| NVD vulnerability detail |
NVD |
nvd.nist.gov |
canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 502947 Alpine Linux Security Update for riot-web
- 503174 Alpine Linux Security Update for element-web
- 506034 Alpine Linux Security Update for element-web
- 691101 Free Berkeley Software Distribution (FreeBSD) Security Update for matrix clients (5b0ae405-cdc7-11ed-bb39-901b0e9408dc)
