SCA: security update for matrix-js-sdk (GHSA-r48r-j8fx-mq2c)

high Tenable Self-Hosted Container Security Plugin ID 418475

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. Prior to version 19.7.0, an attacker
cooperating with a malicious homeserver can construct messages that legitimately appear to have come from
another person, without any indication such as a grey shield. Additionally, a sophisticated attacker
cooperating with a malicious homeserver could employ this vulnerability to perform a targeted attack in
order to send fake to-device messages appearing to originate from another user. This can allow, for
example, to inject the key backup secret during a self-verification, to make a targeted device start using
a malicious key backup spoofed by the homeserver. These attacks are possible due to a protocol confusion
vulnerability that accepts to-device messages encrypted with Megolm instead of Olm. Starting with version
19.7.0, matrix-js-sdk has been modified to only accept Olm-encrypted to-device messages. Out of caution,
several other checks have been audited or added. This attack requires coordination between a malicious
home server and an attacker, so those who trust their home servers do not need a workaround.
(CVE-2022-39251)

See Also

https://github.com/advisories/GHSA-r48r-j8fx-mq2c

Plugin Details

Severity: High

ID: 418475

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.73

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:N

CVSS Score Source: CVE-2022-39251

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 9/30/2022

Vulnerability Publication Date: 9/28/2022

Reference Information

CVE: CVE-2022-39251