CVE-2023-38691— matrix-appservice-bridge doesn't verify the sub parameter of an openId token exhange, allowing unauthorized access to provisioning APIs
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2023-38691
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
matrix-appservice-bridge doesn't verify the sub parameter of an openId token exhange, allowing unauthorized access to provisioning APIs
Source: NVD (National Vulnerability Database)
Vulnerability Description
matrix-appservice-bridge provides an API for setting up bridges. Starting in version 4.0.0 and prior to versions 8.1.2 and 9.0.1, a malicious Matrix server can use a foreign user's MXID in an OpenID exchange, allowing a bad actor to impersonate users when using the provisioning API. The library does not check that the servername part of the `sub` parameter (containing the user's *claimed* MXID) is the the same as the servername we are talking to. A malicious actor could spin up a server on any given domain, respond with a `sub` parameter according to the user they want to act as and use the resulting token to perform provisioning requests. Versions 8.1.2 and 9.0.1 contain a patch. As a workaround, disable the provisioning API.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
认证机制不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
Matrix-appservice-bridge 授权问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Matrix-appservice-bridge是开源的一个服务。用于Matrix通信程序的应用服务的桥接。 Matrix-appservice-bridge存在授权问题漏洞,该漏洞源于恶意Matrix服务器可以在OpenID交换中使用外部用户的MXID,从而允许攻击者在使用配置API时冒充用户。受影响的产品和版本:Matrix-appservice-bridge 4.0.0及更高版本,8.1.2之前版本,9.0.1之前版本。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| matrix-org | matrix-appservice-bridge | >= 4.0.0, < 8.1.2 | - |
II. Public POCs for CVE-2023-38691
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2023-38691
请登录查看更多情报信息。
Same Patch Batch · matrix-org · 2023-08-04 · 4 CVEs total
| CVE-2023-38686 | 9.3 CRITICAL | Sydent does not verify email server certificates |
| CVE-2023-38690 | 5.8 MEDIUM | matrix-appservice-irc IRC command injection via admin commands containing newlines |
| CVE-2023-38700 | 3.5 LOW | matrix-appservice-irc events can be crafted to leak parts of targeted messages from other |
IV. Related Vulnerabilities
Same vendor: matrix-org
- CVE-2025-66622
matrix-sdk-base is vulnerable to DoS via custom m.room.join_ - CVE-2025-59160
matrix-js-sdk has insufficient validation when considering a - CVE-2025-59047
matrix-sdk-base has panic in the `RoomMember::normalized_pow - CVE-2025-53549
Matrix Rust SDK allows SQL injection in the EventCache imple - CVE-2025-48937
matrix-sdk-crypto vulnerable to sender of encrypted events b
Same weakness: CWE-287
- CVE-2026-8244
Industrial Application Software IAS Canias ERP Login RMI imp - CVE-2026-8216
Industrial Application Software IAS Canias ERP Java RMI Sess - CVE-2026-8214
Industrial Application Software IAS Canias ERP RMI doAction - CVE-2026-42560
auth: Patreon provider assigns the same local user ID to eve - CVE-2026-41070
openvpn-auth-oauth2 returns FUNC_SUCCESS on client-deny, all
V. Comments for CVE-2023-38691
No comments yet