CVE-2023-29529 Affecting node-matrix-js-sdk package, versions *
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-DEBIAN11-NODEMATRIXJSSDK-8500169
- published13 Dec 2024
- disclosed14 Apr 2023
Introduced: 14 Apr 2023
CVE-2023-29529 (opens in a new tab)How to fix?
There is no fixed version for Debian:11 node-matrix-js-sdk.
NVD Description
Note: Versions mentioned in the description apply only to the upstream node-matrix-js-sdk package and not the node-matrix-js-sdk package as distributed by Debian.
See How to fix? for Debian:11 relevant fixed versions and status.
matrix-js-sdk is the Matrix Client-Server SDK for JavaScript and TypeScript. An attacker present in a room where an MSC3401 group call is taking place can eavesdrop on the video and audio of participants using matrix-js-sdk, without their knowledge. To affected matrix-js-sdk users, the attacker will not appear to be participating in the call. This attack is possible because matrix-js-sdk's group call implementation accepts incoming direct calls from other users, even if they have not yet declared intent to participate in the group call, as a means of resolving a race condition in call setup. Affected versions do not restrict access to the user's outbound media in this case. Legacy 1:1 calls are unaffected. This is fixed in matrix-js-sdk 24.1.0. As a workaround, users may hold group calls in private rooms where only the exact users who are expected to participate in the call are present.