CVE-2021-32659 – matrix-appservice-bridge

Package

Manager: npm
Name: matrix-appservice-bridge
Vulnerable Version: >=0 <2.6.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00268 pctl0.50056

Details

Automatic room upgrade handling can be used maliciously to bridge a room non-consentually ### Impact If a bridge has room upgrade handling turned on in the configuration (the `roomUpgradeOpts` key when instantiating a new `Bridge` instance.), any `m.room.tombstone` event it encounters will be used to unbridge the current room and bridge into the target room. However, the target room `m.room.create` event is not checked to verify if the `predecessor` field contains the previous room. This means that any mailcious admin of a bridged room can repoint the traffic to a different room without the new room being aware. ### Patches Versions 2.6.1 and greater are patched. ### Workarounds Disabling the automatic room upgrade handling can be done by removing the `roomUpgradeOpts` key from the `Bridge` class options. ### References The issue is patched by https://github.com/matrix-org/matrix-appservice-bridge/pull/330 ### For more information] If you have any questions or comments about this advisory, email us at security@matrix.org.

Metadata

Created: 2021-06-21T17:09:22Z
Modified: 2021-06-16T20:08:37Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-35g4-qx3c-vjhx/GHSA-35g4-qx3c-vjhx.json
CWE IDs: ["CWE-306"]
Alternative ID: GHSA-35g4-qx3c-vjhx
Finding: F006
Auto approve: 1