cve/2022/CVE-2022-39251.md

### [CVE-2022-39251](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39251)
![](https://img.shields.io/static/v1?label=Product&message=matrix-js-sdk&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-287%3A%20Improper%20Authentication&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-322%3A%20Key%20Exchange%20without%20Entity%20Authentication&color=brighgreen)

### Description

Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. Prior to version 19.7.0, an attacker cooperating with a malicious homeserver can construct messages that legitimately appear to have come from another person, without any indication such as a grey shield. Additionally, a sophisticated attacker cooperating with a malicious homeserver could employ this vulnerability to perform a targeted attack in order to send fake to-device messages appearing to originate from another user. This can allow, for example, to inject the key backup secret during a self-verification, to make a targeted device start using a malicious key backup spoofed by the homeserver. These attacks are possible due to a protocol confusion vulnerability that accepts to-device messages encrypted with Megolm instead of Olm. Starting with version 19.7.0, matrix-js-sdk has been modified to only accept Olm-encrypted to-device messages. Out of caution, several other checks have been audited or added. This attack requires coordination between a malicious home server and an attacker, so those who trust their home servers do not need a workaround.

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/ARPSyndicate/cvemon
- https://github.com/karimhabush/cyberowl
Update Sat May 25 21:48:12 CEST 2024 2024-05-25 21:48:12 +02:00			`### [CVE-2022-39251](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39251)`
			`![](https://img.shields.io/static/v1?label=Product&message=matrix-js-sdk&color=blue)`
			`![](https://img.shields.io/static/v1?label=Version&message=n%2Fa&color=blue)`
			`![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-287%3A%20Improper%20Authentication&color=brighgreen)`
			`![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-322%3A%20Key%20Exchange%20without%20Entity%20Authentication&color=brighgreen)`

			`### Description`

			Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. Prior to version 19.7.0, an attacker cooperating with a malicious homeserver can construct messages that legitimately appear to have come from another person, without any indication such as a grey shield. Additionally, a sophisticated attacker cooperating with a malicious homeserver could employ this vulnerability to perform a targeted attack in order to send fake to-device messages appearing to originate from another user. This can allow, for example, to inject the key backup secret during a self-verification, to make a targeted device start using a malicious key backup spoofed by the homeserver. These attacks are possible due to a protocol confusion vulnerability that accepts to-device messages encrypted with Megolm instead of Olm. Starting with version 19.7.0, matrix-js-sdk has been modified to only accept Olm-encrypted to-device messages. Out of caution, several other checks have been audited or added. This attack requires coordination between a malicious home server and an attacker, so those who trust their home servers do not need a workaround.

			`### POC`

			`#### Reference`
			`No PoCs from references.`

			`#### Github`
			`- https://github.com/ARPSyndicate/cvemon`
			`- https://github.com/karimhabush/cyberowl`