Vulnerability Description
matrix-react-sdk is react-based software development kit for inserting a Matrix chat/VOIP client into a web page. Starting in version 3.18.0 and before 3.102.0, matrix-react-sdk allows a malicious homeserver to potentially steal message keys for a room when a user invites another user to that room, via injection of a malicious device controlled by the homeserver. This is possible because matrix-react-sdk before 3.102.0 shared historical message keys on invite. Version 3.102.0 fixes this issue by disabling sharing message keys on invite by removing calls to the vulnerable functionality. No known workarounds are available.
Related Weaknesses (CWE)
References
- https://github.com/matrix-org/matrix-react-sdk/commit/6fc9d7641c51ca3db8225cf58b
- https://github.com/matrix-org/matrix-react-sdk/pull/12618
- https://github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-qcvh-p9j
FAQ
What is CVE-2024-47824?
CVE-2024-47824 is a documented vulnerability. matrix-react-sdk is react-based software development kit for inserting a Matrix chat/VOIP client into a web page. Starting in version 3.18.0 and before 3.102.0, matrix-react-sdk allows a malicious hom...
How severe is CVE-2024-47824?
CVSS scoring is not yet available for CVE-2024-47824. Check NVD for updates.
Is there a patch for CVE-2024-47824?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.