GHSA-vc7j-h8xg-fv5x

Suggest an improvement
Source
https://github.com/advisories/GHSA-vc7j-h8xg-fv5x
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-vc7j-h8xg-fv5x/GHSA-vc7j-h8xg-fv5x.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-vc7j-h8xg-fv5x
Aliases
Related
Published
2023-08-04T17:26:32Z
Modified
2023-11-01T05:02:38.698826Z
Severity
  • 5.0 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N CVSS Calculator
Summary
matrix-appservice-bridge doesn't verify the sub parameter of an openId token exhange, allowing unauthorized access to provisioning APIs
Details

Impact

A malicious Matrix server can use a foreign user's MXID in an OpenID exchange, allowing a bad actor to impersonate users when using the provisioning API.

Details

The library does not check that the servername part of the sub parameter (containing the user's claimed MXID) is the same as the servername we are talking to. A malicious actor could spin up a server on any given domain, respond with a sub parameter according to the user they want to act as and use the resulting token to perform provisioning requests.

Workarounds

Disable the provisioning API. If the bridge does not use the provisioning API, you are not vulnerable.

Database specific 
{
    "nvd_published_at": "2023-08-04T17:15:11Z",
    "cwe_ids": [
        "CWE-287"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-08-04T17:26:32Z"
}
References

Affected packages

npm / matrix-appservice-bridge

Package

Name
matrix-appservice-bridge
View open source insights on deps.dev
Purl
pkg:npm/matrix-appservice-bridge

Affected ranges

Type
SEMVER
Events
Introduced
4.0.0
Fixed
8.1.2

npm / matrix-appservice-bridge

Package

Name
matrix-appservice-bridge
View open source insights on deps.dev
Purl
pkg:npm/matrix-appservice-bridge

Affected ranges

Type
SEMVER
Events
Introduced
9.0.0
Fixed
9.0.1

Affected versions

9.*

9.0.0