CVE-2023-38691 – matrix-appservice-bridge

Package

Manager: npm
Name: matrix-appservice-bridge
Vulnerable Version: >=4.0.0 <8.1.2 || =9.0.0 || >=9.0.0 <9.0.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

EPSS: 0.00062 pctl0.19683

Details

matrix-appservice-bridge doesn't verify the sub parameter of an openId token exhange, allowing unauthorized access to provisioning APIs ### Impact A malicious Matrix server can use a foreign user's MXID in an OpenID exchange, allowing a bad actor to impersonate users when using the provisioning API. ### Details The library does not check that the servername part of the `sub` parameter (containing the user's *claimed* MXID) is the same as the servername we are talking to. A malicious actor could spin up a server on any given domain, respond with a `sub` parameter according to the user they want to act as and use the resulting token to perform provisioning requests. ### Workarounds Disable the provisioning API. If the bridge does not use the provisioning API, you are not vulnerable.

Metadata

Created: 2023-08-04T17:26:32Z
Modified: 2023-08-04T17:26:32Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-vc7j-h8xg-fv5x/GHSA-vc7j-h8xg-fv5x.json
CWE IDs: ["CWE-287"]
Alternative ID: GHSA-vc7j-h8xg-fv5x
Finding: F039
Auto approve: 1