CVE-2021-32659 Information

Description

Matrix-appservice-bridge is the bridging service for the Matrix communication program’s application services. In versions 2.6.0 and earlier if a bridge has room upgrade handling turned on in the configuration (the roomUpgradeOpts key when instantiating a new Bridge instance.) any m.room.tombstone event it encounters will be used to unbridge the current room and bridge into the target room. However the target room m.room.create event is not checked to verify if the predecessor field contains the previous room. This means that any malicious admin of a bridged room can repoint the traffic to a different room without the new room being aware. Versions 2.6.1 and greater are patched. As a workaround disabling the automatic room upgrade handling can be done by removing the roomUpgradeOpts key from the Bridge class options.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

Reference

https://github.com/matrix-org/matrix-appservice-bridge/releases/tag/2.6.1 https://github.com/matrix-org/matrix-appservice-bridge/commit/b69e745584a34fcfd858df33e4631e420da07b9f https://github.com/matrix-org/matrix-appservice-bridge/security/advisories/GHSA-35g4-qx3c-vjhx

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction Required

HIGH

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

HIGH

Base Score

NONE

Base Severity

4.9