CVE-2022-39264

2022-09-2822:15:14

Debian Security Bug Tracker

security-tracker.debian.org

nheko

desktop client

matrix

man-in-the-middle attack

upgrade

patch

verification

request button

vulnerability

CVSS3

8.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

EPSS

0.001

Percentile

45.5%

JSON

nheko is a desktop client for the Matrix communication application. All versions below 0.10.2 are vulnerable homeservers inserting malicious secrets, which could lead to man-in-the-middle attacks. Users can upgrade to version 0.10.2 to protect against this issue. As a workaround, one may apply the patch manually, avoid doing verifications of one’s own devices, and/or avoid pressing the request button in the settings menu.

OSVersionArchitecturePackageVersionFilename
Debian12allnheko< 0.10.2-1nheko_0.10.2-1_all.deb
Debian11allnheko< 0.8.0+really0.7.2-4nheko_0.8.0+really0.7.2-4_all.deb
Debian999allnheko< 0.10.2-1nheko_0.10.2-1_all.deb
Debian13allnheko< 0.10.2-1nheko_0.10.2-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	nheko	< 0.10.2-1	nheko_0.10.2-1_all.deb
Debian	11	all	nheko	< 0.8.0+really0.7.2-4	nheko_0.8.0+really0.7.2-4_all.deb
Debian	999	all	nheko	< 0.10.2-1	nheko_0.10.2-1_all.deb
Debian	13	all	nheko	< 0.10.2-1	nheko_0.10.2-1_all.deb