CVE-2021-32659
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
Matrix-appservice-bridge is the bridging service for the Matrix communication program's application services. In versions 2.6.0 and earlier, if a bridge has room upgrade handling turned on in the configuration (the roomUpgradeOpts key when instantiating a new Bridge instance.), any m.room.tombstone event it encounters will be used to unbridge the current room and bridge into the target room. However, the target room m.room.create event is not checked to verify if the predecessor field contains the previous room. This means that any malicious admin of a bridged room can repoint the traffic to a different room without the new room being aware. Versions 2.6.1 and greater are patched. As a workaround, disabling the automatic room upgrade handling can be done by removing the roomUpgradeOpts key from the Bridge class options.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| matrix-org | matrix-appservice-bridge | < 2.6.1 | affected |
Weaknesses
- CWE-306: CWE-306: Missing Authentication for Critical Function
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/matrix-org/matrix-appservice-bridge/security/advisories/GHSA-35g4-qx3c-vjhx
- https://github.com/matrix-org/matrix-appservice-bridge/commit/b69e745584a34fcfd858df33e4631e420da07b9f
- https://github.com/matrix-org/matrix-appservice-bridge/releases/tag/2.6.1
References
- https://github.com/matrix-org/matrix-appservice-bridge/security/advisories/GHSA-35g4-qx3c-vjhx
- https://github.com/matrix-org/matrix-appservice-bridge/commit/b69e745584a34fcfd858df33e4631e420da07b9f
- https://github.com/matrix-org/matrix-appservice-bridge/releases/tag/2.6.1
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.