4.1

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-42347

GHSA ID

GHSA-f83w-wqhc-cfp4

EPSS Score

0.44106%

CWE

CWE-359

Published

8/6/2024

Updated

8/8/2024

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-42347

CVE-2024-42347: Matrix SDK for React's URL preview setting for a room is controllable by the homeserver

Impact

A malicious homeserver could manipulate a user's account data to cause the client to enable URL previews in end-to-end encrypted rooms, in which case any URLs in encrypted messages would be sent to the server.

Even if the CVSS score would be 4.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N) the maintainer classifies this as High severity issue.

Patches

This was patched in matrix-react-sdk 3.105.1.

Workarounds

Deployments that trust their homeservers, as well as closed federations of trusted servers, are not affected.

References

N/A.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-42347

CVE-2024-42347:

4.1

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-42347

GHSA ID

GHSA-f83w-wqhc-cfp4

EPSS Score

0.44106%

CWE

CWE-359

Published

8/6/2024

Updated

8/8/2024

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
matrix-react-sdk	npm	< 3.105.1	3.105.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the client trusting server-provided account data to control security-sensitive settings. Key functions would be those handling: 1) Retrieval of room account data (MatrixClient.js) where server manipulation occurs, and 2) The URL preview enablement check (UrlPreviewManager.js) that uses this untrusted data. These locations align with the described attack vector where server-controlled data overrides client security settings for URL previews in encrypted rooms.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

4.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-42347: Matrix SDK for React's URL preview setting for a room is controllable by the homeserver

Impact

Patches

Workarounds

References

CVE-2024-42347:

4.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

4.1

4.1

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2024-42347: Matrix SDK for React's URL preview setting for a room is controllable by the homeserver

Impact

Patches

Workarounds

References

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI