Element Matrix Authentication Service Password Management Vulnerability in Authenticated Sessions
Vulnerability
A logic flaw has been identified in Element's Matrix Authentication Service (MAS) versions 0.20.0 through 1.4.0. This vulnerability allows an attacker with access to an authenticated MAS session to execute sensitive operations without providing the current password. Affected actions include changing the password, managing email addresses, and deactivating accounts. The issue arises in instances with the local password database feature enabled.
Impact
Exploitation of this vulnerability could lead to unauthorized changes in password management and account status, allowing for account deactivation and email address modifications.
Reproduction
To reproduce this vulnerability, an authenticated MAS session is required. Once authenticated, access the password management features through the GraphQL API. The vulnerability can be tested by attempting to change the password, remove an email address, or deactivate the account without entering the current password. This can be automated with a script that uses a valid MAS session cookie.
Remediation
Users can upgrade to Matrix Authentication Service version 1.4.1, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.