Access Restriction Bypass Affecting matrix-appservice-bridge package, versions >=4.0.0 <8.1.2 <9.0.1
Threat Intelligence
EPSS
0.05% (19th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-MATRIXAPPSERVICEBRIDGE-5821375
- published 6 Aug 2023
- disclosed 4 Aug 2023
- credit Unknown
Introduced: 4 Aug 2023
CVE-2023-38691 Open this link in a new tabHow to fix?
Upgrade matrix-appservice-bridge
to version 8.1.2, 9.0.1 or higher.
Overview
matrix-appservice-bridge is a Bridging infrastructure for Matrix Application Services
Affected versions of this package are vulnerable to Access Restriction Bypass when using a foreign user's MXID in an OpenID exchange, allowing an attacker to impersonate users when using the provisioning API.
Workarounds
Users that are not able to upgrade to the fixed version can disable the provisioning API.
References
CVSS Scores
version 3.1