{
  "schema_version": "1.4.0",
  "id": "GHSA-mwq8-fjpf-c2gr",
  "modified": "2023-03-30T20:19:18Z",
  "published": "2023-03-30T20:19:18Z",
  "aliases": [
    "CVE-2023-28427"
  ],
  "summary": "Prototype pollution in matrix-js-sdk (part 2)",
  "details": "### Impact\n\nIn certain configurations, data sent by remote servers containing special strings in key locations could cause modifications of the `Object.prototype`, disrupting matrix-js-sdk functionality, causing denial of service and potentially affecting program logic.\n\n(This is part 2, where [CVE-2022-36059](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36059) / [GHSA-rfv9-x7hh-xc32](https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-rfv9-x7hh-xc32) is part 1. Part 2 covers remaining vectors not covered by part 1, found in a codebase audit scheduled after part 1.)\n\n### Patches\nThe issue has been patched in matrix-js-sdk 24.0.0.\n\n### Workarounds\nNone.\n\n### References\n\n- [Release blog post](https://matrix.org/blog/2023/03/28/security-releases-matrix-js-sdk-24-0-0-and-matrix-react-sdk-3-69-0)\n- The advisory [GHSA-rfv9-x7hh-xc32](https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-rfv9-x7hh-xc32) ([CVE-2022-36059](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36059)) refers to an initial set of vulnerable locations discovered and patched in matrix-js-sdk 19.4.0. We opted not to disclose that advisory while we performed an audit of the codebase and are now disclosing it jointly with this one.\n\n### For more information\nIf you have any questions or comments about this advisory please email us at [security at matrix.org](mailto:security@matrix.org).\n",
  "severity": [
    {
      "type": "CVSS_V3",
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "matrix-js-sdk"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "24.0.0"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-mwq8-fjpf-c2gr"
    },
    {
      "type": "WEB",
      "url": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-rfv9-x7hh-xc32"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28427"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/matrix-org/matrix-js-sdk"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00027.html"
    },
    {
      "type": "WEB",
      "url": "https://matrix.org/blog/2023/03/28/security-releases-matrix-js-sdk-24-0-0-and-matrix-react-sdk-3-69-0"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202305-36"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2023/dsa-5392"
    }
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-30T20:19:18Z",
    "nvd_published_at": "2023-03-28T21:15:00Z"
  }
}