Skip to content
This repository was archived by the owner on Sep 11, 2024. It is now read-only.

URL preview setting for a room is controllable by the homeserver

High
davidegirardi published GHSA-f83w-wqhc-cfp4 Aug 6, 2024

Package

matrix-react-sdk

Affected versions

<3.105.1

Patched versions

3.105.1

Description

Impact

A malicious homeserver could manipulate a user's account data to cause the client to enable URL previews in end-to-end encrypted rooms, in which case any URLs in encrypted messages would be sent to the server.

Even if the CVSS score would be 4.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N) we classify this as High severity issue.

Patches

This was patched in matrix-react-sdk 3.105.1.

Workarounds

Deployments that trust their homeservers, as well as closed federations of trusted servers, are not affected.

References

N/A.

Severity

High

CVE ID

CVE-2024-42347

Weaknesses

Exposure of Private Personal Information to an Unauthorized Actor

The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected. Learn more on MITRE.