Vulnerability-Lookup

CVE-2022-39236 (GCVE-0-2022-39236)

Vulnerability from cvelistv5 – Published: 2022-09-28 00:00 – Updated: 2025-04-23 16:55

Title

Matrix Javascript SDK improper beacon events can cause availability issues

Summary

Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. Starting with version 17.1.0-rc.1, improperly formed beacon events can disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer's ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer. This is patched in matrix-js-sdk v19.7.0. Redacting applicable events, waiting for the sync processor to store data, and restarting the client are possible workarounds. Alternatively, redacting the applicable events and clearing all storage will fix the further perceived issues. Downgrading to an unaffected version, noting that such a version may be subject to other vulnerabilities, will additionally resolve the issue.

Severity ?

4.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

CWE

CWE-20 - Improper Input Validation

Assigner

GitHub_M

References

URL

Tags

	https://github.com/matrix-org/matrix-js-sdk/secur…
	https://github.com/matrix-org/matrix-spec-proposa…
	https://github.com/matrix-org/matrix-js-sdk/commi…
	https://github.com/matrix-org/matrix-js-sdk/relea…
	https://security.gentoo.org/glsa/202210-35	vendor-advisory

Impacted products

	Vendor	Product	Version
	matrix-org	matrix-js-sdk	Affected: >= 17.1.0-rc.1, < 19.7.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T12:00:42.605Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-hvv8-5v86-r45x"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/matrix-org/matrix-spec-proposals/pull/3488"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.7.0"
          },
          {
            "name": "GLSA-202210-35",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202210-35"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-39236",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-23T13:57:05.169149Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-23T16:55:17.226Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "matrix-js-sdk",
          "vendor": "matrix-org",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 17.1.0-rc.1, \u003c 19.7.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. Starting with version 17.1.0-rc.1, improperly formed beacon events can disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer\u0027s ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer. This is patched in matrix-js-sdk v19.7.0. Redacting applicable events, waiting for the sync processor to store data, and restarting the client are possible workarounds. Alternatively, redacting the applicable events and clearing all storage will fix the further perceived issues. Downgrading to an unaffected version, noting that such a version may be subject to other vulnerabilities, will additionally resolve the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20: Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-10-31T00:00:00.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "url": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-hvv8-5v86-r45x"
        },
        {
          "url": "https://github.com/matrix-org/matrix-spec-proposals/pull/3488"
        },
        {
          "url": "https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76"
        },
        {
          "url": "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.7.0"
        },
        {
          "name": "GLSA-202210-35",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://security.gentoo.org/glsa/202210-35"
        }
      ],
      "source": {
        "advisory": "GHSA-hvv8-5v86-r45x",
        "discovery": "UNKNOWN"
      },
      "title": "Matrix Javascript SDK improper beacon events can cause availability issues"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-39236",
    "datePublished": "2022-09-28T00:00:00.000Z",
    "dateReserved": "2022-09-02T00:00:00.000Z",
    "dateUpdated": "2025-04-23T16:55:17.226Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-hvv8-5v86-r45x\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://github.com/matrix-org/matrix-spec-proposals/pull/3488\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.7.0\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://security.gentoo.org/glsa/202210-35\", \"name\": \"GLSA-202210-35\", \"tags\": [\"vendor-advisory\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T12:00:42.605Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-39236\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-23T13:57:05.169149Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-23T13:57:06.461Z\"}}], \"cna\": {\"title\": \"Matrix Javascript SDK improper beacon events can cause availability issues\", \"source\": {\"advisory\": \"GHSA-hvv8-5v86-r45x\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"matrix-org\", \"product\": \"matrix-js-sdk\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 17.1.0-rc.1, \u003c 19.7.0\"}]}], \"references\": [{\"url\": \"https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-hvv8-5v86-r45x\"}, {\"url\": \"https://github.com/matrix-org/matrix-spec-proposals/pull/3488\"}, {\"url\": \"https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76\"}, {\"url\": \"https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.7.0\"}, {\"url\": \"https://security.gentoo.org/glsa/202210-35\", \"name\": \"GLSA-202210-35\", \"tags\": [\"vendor-advisory\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. Starting with version 17.1.0-rc.1, improperly formed beacon events can disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer\u0027s ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer. This is patched in matrix-js-sdk v19.7.0. Redacting applicable events, waiting for the sync processor to store data, and restarting the client are possible workarounds. Alternatively, redacting the applicable events and clearing all storage will fix the further perceived issues. Downgrading to an unaffected version, noting that such a version may be subject to other vulnerabilities, will additionally resolve the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-20\", \"description\": \"CWE-20: Improper Input Validation\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2022-10-31T00:00:00.000Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2022-39236\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-04-23T16:55:17.226Z\", \"dateReserved\": \"2022-09-02T00:00:00.000Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2022-09-28T00:00:00.000Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

FKIE_CVE-2022-39236

Vulnerability from fkie_nvd - Published: 2022-09-28 17:15 - Updated: 2024-11-21 07:17

Severity ?

4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.7.0	Release Notes, Third Party Advisory
security-advisories@github.com	https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-hvv8-5v86-r45x	Third Party Advisory
security-advisories@github.com	https://github.com/matrix-org/matrix-spec-proposals/pull/3488	Patch, Third Party Advisory
security-advisories@github.com	https://security.gentoo.org/glsa/202210-35	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.7.0	Release Notes, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-hvv8-5v86-r45x	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/matrix-org/matrix-spec-proposals/pull/3488	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://security.gentoo.org/glsa/202210-35	Third Party Advisory

Impacted products

	Vendor	Product	Version
	matrix	javascript_sdk	*
	matrix	javascript_sdk	17.1.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:matrix:javascript_sdk:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "68424611-6925-4DD4-B193-52CE6264CACB",
              "versionEndExcluding": "19.7.0",
              "versionStartIncluding": "17.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:matrix:javascript_sdk:17.1.0:rc1:*:*:*:node.js:*:*",
              "matchCriteriaId": "AEA15F9B-21FD-432C-B484-1AB439E5BE82",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. Starting with version 17.1.0-rc.1, improperly formed beacon events can disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer\u0027s ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer. This is patched in matrix-js-sdk v19.7.0. Redacting applicable events, waiting for the sync processor to store data, and restarting the client are possible workarounds. Alternatively, redacting the applicable events and clearing all storage will fix the further perceived issues. Downgrading to an unaffected version, noting that such a version may be subject to other vulnerabilities, will additionally resolve the issue."
    },
    {
      "lang": "es",
      "value": "Matrix Javascript SDK es el SDK cliente-servidor de Matrix para JavaScript. A partir de la versi\u00f3n 17.1.0-rc.1, los eventos de baliza formados inapropiadamente pueden interrumpir o impedir que matrix-js-sdk funcione apropiadamente, afectando potencialmente la capacidad del consumidor para procesar datos de forma segura. Obs\u00e9rvese que matrix-js-sdk puede parecer que funciona normalmente pero estar excluyendo o corrompiendo los datos en tiempo de ejecuci\u00f3n presentados al consumidor. Esto est\u00e1 parcheado en matrix-js-sdk v19.7.0. Redactar los eventos aplicables, esperar a que el procesador de sincronizaci\u00f3n almacene los datos y reiniciar el cliente son posibles mitigaciones. Alternativamente, redactar los eventos aplicables y borrar todo el almacenamiento corregir\u00e1 los problemas percibidos. La actualizaci\u00f3n a una versi\u00f3n no afectada, teniendo en cuenta que dicha versi\u00f3n puede estar sujeta a otras vulnerabilidades, tambi\u00e9n resolver\u00e1 el problema"
    }
  ],
  "id": "CVE-2022-39236",
  "lastModified": "2024-11-21T07:17:50.800",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 4.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 1.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-09-28T17:15:11.133",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.7.0"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-hvv8-5v86-r45x"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/matrix-org/matrix-spec-proposals/pull/3488"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.gentoo.org/glsa/202210-35"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.7.0"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-hvv8-5v86-r45x"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/matrix-org/matrix-spec-proposals/pull/3488"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.gentoo.org/glsa/202210-35"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-20"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

cve-2022-39236

Vulnerability from osv_almalinux

Published

2022-10-25 00:00

Modified

2022-10-26 06:48

Summary

Important: thunderbird security update

Details

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 102.4.0.

Security Fix(es):

Mozilla: Matrix SDK bundled with Thunderbird vulnerable to an impersonation attack by malicious server administrators (CVE-2022-39249)
Mozilla: Matrix SDK bundled with Thunderbird vulnerable to a device verification attack (CVE-2022-39250)
Mozilla: Matrix SDK bundled with Thunderbird vulnerable to an impersonation attack (CVE-2022-39251)
Mozilla: Same-origin policy violation could have leaked cross-origin URLs (CVE-2022-42927)
Mozilla: Memory Corruption in JS Engine (CVE-2022-42928)
Mozilla: Matrix SDK bundled with Thunderbird vulnerable to a data corruption issue (CVE-2022-39236)
Mozilla: Denial of Service via window.print (CVE-2022-42929)
Mozilla: Memory safety bugs fixed in Firefox ESR 102.4 and Thunderbird 102.4 (CVE-2022-42932)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "thunderbird"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "102.4.0-1.el9_0.alma"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Mozilla Thunderbird is a standalone mail and newsgroup client.\n\nThis update upgrades Thunderbird to version 102.4.0.\n\nSecurity Fix(es):\n\n* Mozilla: Matrix SDK bundled with Thunderbird vulnerable to an impersonation attack by malicious server administrators (CVE-2022-39249)\n* Mozilla: Matrix SDK bundled with Thunderbird vulnerable to a device verification attack (CVE-2022-39250)\n* Mozilla: Matrix SDK bundled with Thunderbird vulnerable to an impersonation attack (CVE-2022-39251)\n* Mozilla: Same-origin policy violation could have leaked cross-origin URLs (CVE-2022-42927)\n* Mozilla: Memory Corruption in JS Engine (CVE-2022-42928)\n* Mozilla: Matrix SDK bundled with Thunderbird vulnerable to a data corruption issue (CVE-2022-39236)\n* Mozilla: Denial of Service via window.print (CVE-2022-42929)\n* Mozilla: Memory safety bugs fixed in Firefox ESR 102.4 and Thunderbird 102.4 (CVE-2022-42932)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
  "id": "ALSA-2022:7178",
  "modified": "2022-10-26T06:48:26Z",
  "published": "2022-10-25T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2022:7178"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-39236"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-39249"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-39250"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-39251"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-42927"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-42928"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-42929"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-42932"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2135391"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2135393"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2135395"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2135396"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2136156"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2136157"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2136158"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2136159"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/9/ALSA-2022-7178.html"
    }
  ],
  "related": [
    "CVE-2022-39249",
    "CVE-2022-39250",
    "CVE-2022-39251",
    "CVE-2022-42927",
    "CVE-2022-42928",
    "CVE-2022-39236",
    "CVE-2022-42929",
    "CVE-2022-42932"
  ],
  "summary": "Important: thunderbird security update"
}

cve-2022-39236

Vulnerability from osv_almalinux

Published

2022-10-25 00:00

Modified

2022-10-26 07:18

Summary

Important: thunderbird security update

Details

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 102.4.0.

Security Fix(es):

Mozilla: Matrix SDK bundled with Thunderbird vulnerable to an impersonation attack by malicious server administrators (CVE-2022-39249)
Mozilla: Matrix SDK bundled with Thunderbird vulnerable to a device verification attack (CVE-2022-39250)
Mozilla: Matrix SDK bundled with Thunderbird vulnerable to an impersonation attack (CVE-2022-39251)
Mozilla: Same-origin policy violation could have leaked cross-origin URLs (CVE-2022-42927)
Mozilla: Memory Corruption in JS Engine (CVE-2022-42928)
Mozilla: Matrix SDK bundled with Thunderbird vulnerable to a data corruption issue (CVE-2022-39236)
Mozilla: Denial of Service via window.print (CVE-2022-42929)
Mozilla: Memory safety bugs fixed in Firefox ESR 102.4 and Thunderbird 102.4 (CVE-2022-42932)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "thunderbird"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "102.4.0-1.el8_6.alma"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Mozilla Thunderbird is a standalone mail and newsgroup client.\n\nThis update upgrades Thunderbird to version 102.4.0.\n\nSecurity Fix(es):\n\n* Mozilla: Matrix SDK bundled with Thunderbird vulnerable to an impersonation attack by malicious server administrators (CVE-2022-39249)\n* Mozilla: Matrix SDK bundled with Thunderbird vulnerable to a device verification attack (CVE-2022-39250)\n* Mozilla: Matrix SDK bundled with Thunderbird vulnerable to an impersonation attack (CVE-2022-39251)\n* Mozilla: Same-origin policy violation could have leaked cross-origin URLs (CVE-2022-42927)\n* Mozilla: Memory Corruption in JS Engine (CVE-2022-42928)\n* Mozilla: Matrix SDK bundled with Thunderbird vulnerable to a data corruption issue (CVE-2022-39236)\n* Mozilla: Denial of Service via window.print (CVE-2022-42929)\n* Mozilla: Memory safety bugs fixed in Firefox ESR 102.4 and Thunderbird 102.4 (CVE-2022-42932)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
  "id": "ALSA-2022:7190",
  "modified": "2022-10-26T07:18:12Z",
  "published": "2022-10-25T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2022:7190"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-39236"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-39249"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-39250"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-39251"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-42927"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-42928"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-42929"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-42932"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2135391"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2135393"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2135395"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2135396"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2136156"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2136157"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2136158"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2136159"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/8/ALSA-2022-7190.html"
    }
  ],
  "related": [
    "CVE-2022-39249",
    "CVE-2022-39250",
    "CVE-2022-39251",
    "CVE-2022-42927",
    "CVE-2022-42928",
    "CVE-2022-39236",
    "CVE-2022-42929",
    "CVE-2022-42932"
  ],
  "summary": "Important: thunderbird security update"
}

CERTFR-2022-AVI-869

Vulnerability from certfr_avis - Published: 2022-09-30 - Updated: 2022-09-30

De multiples vulnérabilités ont été corrigées dans Mozilla Thunderbird. Elles permettent à un attaquant de provoquer un contournement de la politique de sécurité, une atteinte à l'intégrité des données et une atteinte à la confidentialité des données.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

	Vendor	Product	Description
	Mozilla	Thunderbird	Thunderbird versions antérieures à 102.3.1

References

Title

Publication Time

GHSA-HVV8-5V86-R45X

Vulnerability from github – Published: 2022-09-29 14:36 – Updated: 2022-09-29 14:36

Summary

Improper beacon events in matrix-js-sdk can result in availability issues

Details

Impact

Improperly formed beacon events (from MSC3488) can disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer's ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer.

Patches

This is patched in matrix-js-sdk v19.7.0

Workarounds

Redacting applicable events, waiting for the sync processor to store data, and restarting the client can often fix it. Alternatively, redacting the applicable events and clearing all storage will fix the further perceived issues.

Downgrading to an unaffected version, noting that such a version may be subject to other vulnerabilities, will additionally resolve the issue.

References

N/A - This was a logic error in the SDK.

For more information

If you have any questions or comments about this advisory please email us at security at matrix.org.

Severity ?

4.3 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "matrix-js-sdk"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "17.1.0-rc.1"
            },
            {
              "fixed": "19.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-39236"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-09-29T14:36:38Z",
    "nvd_published_at": "2022-09-28T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nImproperly formed beacon events (from [MSC3488](https://github.com/matrix-org/matrix-spec-proposals/pull/3488)) can disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer\u0027s ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer.\n\n### Patches\nThis is patched in matrix-js-sdk v19.7.0\n\n### Workarounds\nRedacting applicable events, waiting for the sync processor to store data, and restarting the client can often fix it. Alternatively, redacting the applicable events and clearing all storage will fix the further perceived issues.\n\nDowngrading to an unaffected version, noting that such a version may be subject to other vulnerabilities, will additionally resolve the issue.\n\n### References\nN/A - This was a logic error in the SDK.\n\n### For more information\nIf you have any questions or comments about this advisory please email us at [security at matrix.org](mailto:security@matrix.org).\n",
  "id": "GHSA-hvv8-5v86-r45x",
  "modified": "2022-09-29T14:36:38Z",
  "published": "2022-09-29T14:36:38Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-hvv8-5v86-r45x"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39236"
    },
    {
      "type": "WEB",
      "url": "https://github.com/matrix-org/matrix-spec-proposals/pull/3488"
    },
    {
      "type": "WEB",
      "url": "https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/matrix-org/matrix-js-sdk"
    },
    {
      "type": "WEB",
      "url": "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.7.0"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202210-35"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper beacon events in matrix-js-sdk can result in availability issues"
}

GSD-2022-39236

Vulnerability from gsd - Updated: 2023-12-13 01:19

Details

Aliases

CVE-2022-39236

Aliases

CVE-2022-39236

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-39236",
    "description": "Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. Starting with version 17.1.0-rc.1, improperly formed beacon events can disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer\u0027s ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer. This is patched in matrix-js-sdk v19.7.0. Redacting applicable events, waiting for the sync processor to store data, and restarting the client are possible workarounds. Alternatively, redacting the applicable events and clearing all storage will fix the further perceived issues. Downgrading to an unaffected version, noting that such a version may be subject to other vulnerabilities, will additionally resolve the issue.",
    "id": "GSD-2022-39236",
    "references": [
      "https://advisories.mageia.org/CVE-2022-39236.html",
      "https://access.redhat.com/errata/RHSA-2022:7178",
      "https://access.redhat.com/errata/RHSA-2022:7181",
      "https://access.redhat.com/errata/RHSA-2022:7182",
      "https://access.redhat.com/errata/RHSA-2022:7183",
      "https://access.redhat.com/errata/RHSA-2022:7184",
      "https://access.redhat.com/errata/RHSA-2022:7190",
      "https://www.suse.com/security/cve/CVE-2022-39236.html",
      "https://ubuntu.com/security/CVE-2022-39236"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-39236"
      ],
      "details": "Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. Starting with version 17.1.0-rc.1, improperly formed beacon events can disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer\u0027s ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer. This is patched in matrix-js-sdk v19.7.0. Redacting applicable events, waiting for the sync processor to store data, and restarting the client are possible workarounds. Alternatively, redacting the applicable events and clearing all storage will fix the further perceived issues. Downgrading to an unaffected version, noting that such a version may be subject to other vulnerabilities, will additionally resolve the issue.",
      "id": "GSD-2022-39236",
      "modified": "2023-12-13T01:19:20.822417Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2022-39236",
        "STATE": "PUBLIC",
        "TITLE": "Matrix Javascript SDK improper beacon events can cause availability issues"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "matrix-js-sdk",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003e= 17.1.0-rc.1, \u003c 19.7.0"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "matrix-org"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. Starting with version 17.1.0-rc.1, improperly formed beacon events can disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer\u0027s ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer. This is patched in matrix-js-sdk v19.7.0. Redacting applicable events, waiting for the sync processor to store data, and restarting the client are possible workarounds. Alternatively, redacting the applicable events and clearing all storage will fix the further perceived issues. Downgrading to an unaffected version, noting that such a version may be subject to other vulnerabilities, will additionally resolve the issue."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 4.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-20: Improper Input Validation"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-hvv8-5v86-r45x",
            "refsource": "CONFIRM",
            "url": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-hvv8-5v86-r45x"
          },
          {
            "name": "https://github.com/matrix-org/matrix-spec-proposals/pull/3488",
            "refsource": "MISC",
            "url": "https://github.com/matrix-org/matrix-spec-proposals/pull/3488"
          },
          {
            "name": "https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76",
            "refsource": "MISC",
            "url": "https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76"
          },
          {
            "name": "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.7.0",
            "refsource": "MISC",
            "url": "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.7.0"
          },
          {
            "name": "GLSA-202210-35",
            "refsource": "GENTOO",
            "url": "https://security.gentoo.org/glsa/202210-35"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-hvv8-5v86-r45x",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003e=17.1.0 \u003c19.7.0",
          "affected_versions": "All versions starting from 17.1.0 before 19.7.0",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
          "cwe_ids": [
            "CWE-1035",
            "CWE-937"
          ],
          "date": "2022-12-08",
          "description": "Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. Starting with version 17.1.0-rc.1, improperly formed beacon events can disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer\u0027s ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer. This is patched in matrix-js-sdk v19.7.0. Redacting applicable events, waiting for the sync processor to store data, and restarting the client are possible workarounds. Alternatively, redacting the applicable events and clearing all storage will fix the further perceived issues. Downgrading to an unaffected version, noting that such a version may be subject to other vulnerabilities, will additionally resolve the issue.",
          "fixed_versions": [
            "19.7.0"
          ],
          "identifier": "CVE-2022-39236",
          "identifiers": [
            "CVE-2022-39236",
            "GHSA-hvv8-5v86-r45x"
          ],
          "not_impacted": "All versions before 17.1.0, all versions starting from 19.7.0",
          "package_slug": "npm/matrix-js-sdk",
          "pubdate": "2022-09-28",
          "solution": "Upgrade to version 19.7.0 or above.",
          "title": "Improper Input Validation",
          "urls": [
            "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-hvv8-5v86-r45x",
            "https://nvd.nist.gov/vuln/detail/CVE-2022-39236",
            "https://github.com/matrix-org/matrix-spec-proposals/pull/3488",
            "https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76",
            "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.7.0",
            "https://github.com/advisories/GHSA-hvv8-5v86-r45x"
          ],
          "uuid": "22a1d665-54c9-4775-a89f-220cf19cfffa"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:matrix:javascript_sdk:*:*:*:*:*:node.js:*:*",
                "cpe_name": [],
                "versionEndExcluding": "19.7.0",
                "versionStartIncluding": "17.1.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:matrix:javascript_sdk:17.1.0:rc1:*:*:*:node.js:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-39236"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. Starting with version 17.1.0-rc.1, improperly formed beacon events can disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer\u0027s ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer. This is patched in matrix-js-sdk v19.7.0. Redacting applicable events, waiting for the sync processor to store data, and restarting the client are possible workarounds. Alternatively, redacting the applicable events and clearing all storage will fix the further perceived issues. Downgrading to an unaffected version, noting that such a version may be subject to other vulnerabilities, will additionally resolve the issue."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "NVD-CWE-noinfo"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76"
            },
            {
              "name": "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.7.0",
              "refsource": "MISC",
              "tags": [
                "Release Notes",
                "Third Party Advisory"
              ],
              "url": "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.7.0"
            },
            {
              "name": "https://github.com/matrix-org/matrix-spec-proposals/pull/3488",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/matrix-org/matrix-spec-proposals/pull/3488"
            },
            {
              "name": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-hvv8-5v86-r45x",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-hvv8-5v86-r45x"
            },
            {
              "name": "GLSA-202210-35",
              "refsource": "GENTOO",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://security.gentoo.org/glsa/202210-35"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 1.4
        }
      },
      "lastModifiedDate": "2022-12-08T03:15Z",
      "publishedDate": "2022-09-28T17:15Z"
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2022-39236 (GCVE-0-2022-39236)

FKIE_CVE-2022-39236

cve-2022-39236

Vulnerability from osv_almalinux

cve-2022-39236

Vulnerability from osv_almalinux

CERTFR-2022-AVI-869

Solution

GHSA-HVV8-5V86-R45X

Impact

Patches

Workarounds

References

For more information

GSD-2022-39236

Tags

Sightings

Nomenclature