{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-39236", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "dateUpdated": "2025-04-23T16:55:17.226Z", "dateReserved": "2022-09-02T00:00:00.000Z", "datePublished": "2022-09-28T00:00:00.000Z"}, "containers": {"cna": {"title": "Matrix Javascript SDK improper beacon events can cause availability issues", "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-10-31T00:00:00.000Z"}, "descriptions": [{"lang": "en", "value": "Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. Starting with version 17.1.0-rc.1, improperly formed beacon events can disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer's ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer. This is patched in matrix-js-sdk v19.7.0. Redacting applicable events, waiting for the sync processor to store data, and restarting the client are possible workarounds. Alternatively, redacting the applicable events and clearing all storage will fix the further perceived issues. Downgrading to an unaffected version, noting that such a version may be subject to other vulnerabilities, will additionally resolve the issue."}], "affected": [{"vendor": "matrix-org", "product": "matrix-js-sdk", "versions": [{"version": ">= 17.1.0-rc.1, < 19.7.0", "status": "affected"}]}], "references": [{"url": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-hvv8-5v86-r45x"}, {"url": "https://github.com/matrix-org/matrix-spec-proposals/pull/3488"}, {"url": "https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76"}, {"url": "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.7.0"}, {"name": "GLSA-202210-35", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/202210-35"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-20: Improper Input Validation", "cweId": "CWE-20"}]}], "source": {"advisory": "GHSA-hvv8-5v86-r45x", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T12:00:42.605Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-hvv8-5v86-r45x", "tags": ["x_transferred"]}, {"url": "https://github.com/matrix-org/matrix-spec-proposals/pull/3488", "tags": ["x_transferred"]}, {"url": "https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76", "tags": ["x_transferred"]}, {"url": "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.7.0", "tags": ["x_transferred"]}, {"name": "GLSA-202210-35", "tags": ["vendor-advisory", "x_transferred"], "url": "https://security.gentoo.org/glsa/202210-35"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-23T13:57:05.169149Z", "id": "CVE-2022-39236", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-23T16:55:17.226Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-hvv8-5v86-r45x", "tags": ["x_transferred"]}, {"url": "https://github.com/matrix-org/matrix-spec-proposals/pull/3488", "tags": ["x_transferred"]}, {"url": "https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76", "tags": ["x_transferred"]}, {"url": "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.7.0", "tags": ["x_transferred"]}, {"url": "https://security.gentoo.org/glsa/202210-35", "name": "GLSA-202210-35", "tags": ["vendor-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T12:00:42.605Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-39236", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-23T13:57:05.169149Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-23T13:57:06.461Z"}}], "cna": {"title": "Matrix Javascript SDK improper beacon events can cause availability issues", "source": {"advisory": "GHSA-hvv8-5v86-r45x", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "matrix-org", "product": "matrix-js-sdk", "versions": [{"status": "affected", "version": ">= 17.1.0-rc.1, < 19.7.0"}]}], "references": [{"url": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-hvv8-5v86-r45x"}, {"url": "https://github.com/matrix-org/matrix-spec-proposals/pull/3488"}, {"url": "https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76"}, {"url": "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.7.0"}, {"url": "https://security.gentoo.org/glsa/202210-35", "name": "GLSA-202210-35", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. Starting with version 17.1.0-rc.1, improperly formed beacon events can disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer's ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer. This is patched in matrix-js-sdk v19.7.0. Redacting applicable events, waiting for the sync processor to store data, and restarting the client are possible workarounds. Alternatively, redacting the applicable events and clearing all storage will fix the further perceived issues. Downgrading to an unaffected version, noting that such a version may be subject to other vulnerabilities, will additionally resolve the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20: Improper Input Validation"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-10-31T00:00:00.000Z"}}}, "cveMetadata": {"cveId": "CVE-2022-39236", "state": "PUBLISHED", "dateUpdated": "2025-04-23T16:55:17.226Z", "dateReserved": "2022-09-02T00:00:00.000Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2022-09-28T00:00:00.000Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:matrix:javascript_sdk:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "68424611-6925-4DD4-B193-52CE6264CACB", "versionEndExcluding": "19.7.0", "versionStartIncluding": "17.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:matrix:javascript_sdk:17.1.0:rc1:*:*:*:node.js:*:*", "matchCriteriaId": "AEA15F9B-21FD-432C-B484-1AB439E5BE82", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. Starting with version 17.1.0-rc.1, improperly formed beacon events can disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer's ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer. This is patched in matrix-js-sdk v19.7.0. Redacting applicable events, waiting for the sync processor to store data, and restarting the client are possible workarounds. Alternatively, redacting the applicable events and clearing all storage will fix the further perceived issues. Downgrading to an unaffected version, noting that such a version may be subject to other vulnerabilities, will additionally resolve the issue."}, {"lang": "es", "value": "Matrix Javascript SDK es el SDK cliente-servidor de Matrix para JavaScript. A partir de la versi\u00f3n 17.1.0-rc.1, los eventos de baliza formados inapropiadamente pueden interrumpir o impedir que matrix-js-sdk funcione apropiadamente, afectando potencialmente la capacidad del consumidor para procesar datos de forma segura. Obs\u00e9rvese que matrix-js-sdk puede parecer que funciona normalmente pero estar excluyendo o corrompiendo los datos en tiempo de ejecuci\u00f3n presentados al consumidor. Esto est\u00e1 parcheado en matrix-js-sdk v19.7.0. Redactar los eventos aplicables, esperar a que el procesador de sincronizaci\u00f3n almacene los datos y reiniciar el cliente son posibles mitigaciones. Alternativamente, redactar los eventos aplicables y borrar todo el almacenamiento corregir\u00e1 los problemas percibidos. La actualizaci\u00f3n a una versi\u00f3n no afectada, teniendo en cuenta que dicha versi\u00f3n puede estar sujeta a otras vulnerabilidades, tambi\u00e9n resolver\u00e1 el problema"}], "id": "CVE-2022-39236", "lastModified": "2024-11-21T07:17:50.800", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-09-28T17:15:11.133", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76"}, {"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.7.0"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-hvv8-5v86-r45x"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/matrix-org/matrix-spec-proposals/pull/3488"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202210-35"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.7.0"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-hvv8-5v86-r45x"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/matrix-org/matrix-spec-proposals/pull/3488"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202210-35"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank the Mozilla project for reporting this issue.", "affected_release": [{"advisory": "RHSA-2022:7184", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "thunderbird-0:102.4.0-1.el7_9", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2022-10-25T00:00:00Z"}, {"advisory": "RHSA-2022:7190", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "thunderbird-0:102.4.0-1.el8_6", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2022-10-25T00:00:00Z"}, {"advisory": "RHSA-2022:7183", "cpe": "cpe:/a:redhat:rhel_e4s:8.1", "package": "thunderbird-0:102.4.0-1.el8_1", "product_name": "Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions", "release_date": "2022-10-25T00:00:00Z"}, {"advisory": "RHSA-2022:7182", "cpe": "cpe:/a:redhat:rhel_eus:8.2", "package": "thunderbird-0:102.4.0-1.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Extended Update Support", "release_date": "2022-10-25T00:00:00Z"}, {"advisory": "RHSA-2022:7181", "cpe": "cpe:/a:redhat:rhel_eus:8.4", "package": "thunderbird-0:102.4.0-1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Extended Update Support", "release_date": "2022-10-25T00:00:00Z"}, {"advisory": "RHSA-2022:7178", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "thunderbird-0:102.4.0-1.el9_0", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2022-10-25T00:00:00Z"}], "bugzilla": {"description": "Mozilla: Matrix SDK bundled with Thunderbird vulnerable to a data corruption issue", "id": "2135391", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135391"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "status": "verified"}, "cwe": "CWE-20", "details": ["Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. Starting with version 17.1.0-rc.1, improperly formed beacon events can disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer's ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer. This is patched in matrix-js-sdk v19.7.0. Redacting applicable events, waiting for the sync processor to store data, and restarting the client are possible workarounds. Alternatively, redacting the applicable events and clearing all storage will fix the further perceived issues. Downgrading to an unaffected version, noting that such a version may be subject to other vulnerabilities, will additionally resolve the issue.", "A flaw was found in Mozilla. According to the Mozilla Foundation Security Advisory, Thunderbird users who use the Matrix chat protocol are vulnerable to a data corruption issue. An attacker could potentially cause data integrity issues by sending specially crafted messages."], "name": "CVE-2022-39236", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 6"}], "public_date": "2022-09-28T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-39236\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-39236\nhttps://www.mozilla.org/en-US/security/advisories/mfsa2022-43/#CVE-2022-39236"], "threat_severity": "Moderate"}