CVE-2021-32659
June 16, 2021
Matrix-appservice-bridge is the bridging service for the Matrix communication program's application services. In versions 2.6.0 and earlier, if a bridge has room upgrade handling turned on in the configuration (the "roomUpgradeOpts" key when instantiating a new "Bridge" instance.), any "m.room.tombstone" event it encounters will be used to unbridge the current room and bridge into the target room. However, the target room "m.room.create" event is not checked to verify if the "predecessor" field contains the previous room. This means that any malicious admin of a bridged room can repoint the traffic to a different room without the new room being aware. Versions 2.6.1 and greater are patched. As a workaround, disabling the automatic room upgrade handling can be done by removing the "roomUpgradeOpts" key from the "Bridge" class options.
Affected Packages
matrix-appservice-bridge (NPM):
Affected version(s) >=0.1.0 <2.6.1Fix Suggestion:
Update to version 2.6.1Related ResourcesĀ (5)
Do you need more information?
Contact UsCVSS v4
Base Score:
7.1
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
NONE
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
6.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
NONE
Availability
NONE
CVSS v2
Base Score:
3.5
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
Weakness Type (CWE)
Missing Authentication for Critical Function
EPSS
Base Score:
0.27
