CVE-2023-38691

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-38691

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-38691.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2023-38691

Aliases

GHSA-vc7j-h8xg-fv5x

Published

2023-08-04T16:34:54Z

Modified

2025-10-20T20:18:58.681815Z

Severity

5.0 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N CVSS Calculator

Summary

matrix-appservice-bridge doesn't verify the sub parameter of an openId token exhange, allowing unauthorized access to provisioning APIs

Details

matrix-appservice-bridge provides an API for setting up bridges. Starting in version 4.0.0 and prior to versions 8.1.2 and 9.0.1, a malicious Matrix server can use a foreign user's MXID in an OpenID exchange, allowing a bad actor to impersonate users when using the provisioning API. The library does not check that the servername part of the sub parameter (containing the user's claimed MXID) is the the same as the servername we are talking to. A malicious actor could spin up a server on any given domain, respond with a sub parameter according to the user they want to act as and use the resulting token to perform provisioning requests. Versions 8.1.2 and 9.0.1 contain a patch. As a workaround, disable the provisioning API.

Database specific

{
    "cwe_ids": [
        "CWE-287"
    ]
}

References

Affected packages

Git / github.com/matrix-org/matrix-appservice-bridge

Affected ranges

Type: GIT
Repo: https://github.com/matrix-org/matrix-appservice-bridge
Events: Introduced

30f6e3a4f4c8e3ec0c4d08055e39845a71d34763

Fixed

48cf6d7ca4e8b0db2f738ce14014b4b34576906c

Type: GIT
Repo: https://github.com/matrix-org/matrix-appservice-bridge
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

533f27cb9a779a905b6b408ebd04f4c49963c84e

Affected versions

0.*

0.1.0

0.1.1

0.1.2

0.1.3

0.1.4

0.1.5

0.3.2

0.3.3

0.3.4

0.3.5

0.3.6

1.*

1.0.0

1.0.1

1.1.1

1.10.0

1.10.1

1.10.2

1.10.3

1.11.0

1.11.1

1.12.0

1.12.1

1.12.2

1.13.0

1.13.1

1.2.1

1.3.0

1.3.3

1.3.4

1.3.5

1.3.6

1.4.0

1.4.0a

1.5.0

1.5.0a

1.6.0

1.6.0a

1.6.0b

1.6.0c

1.6.1

1.7.0

1.8.1

1.9.0

1.9.1

1.9.2

2.*

2.0.0

2.1.0

2.1.0-rc1

2.1.0-rc2

2.2.0

2.2.0-rc1

2.2.0-rc2

2.3.0

2.3.0-rc1

2.3.0-rc2

2.3.0-rc3

2.3.1

2.4.0

2.4.0-rc1

2.4.0-rc2

2.5.0

2.6.0

2.6.0-rc1

2.6.1

2.7.0

3.*

3.0.0

3.1.0

3.1.1

3.1.2

3.2.0

4.*

4.0.0

4.0.1

4.0.2

5.*

5.0.0

5.1.0

7.*

7.0.0

8.*

8.0.0

8.0.1

8.1.0

8.1.1

9.*

9.0.0

v1.*

v1.13.2

v2.*

v2.5.0-rc1