Lucene search

[email protected]NVD:CVE-2022-45195

HistoryNov 12, 2022 - 7:15 p.m.

CVE-2022-45195

2022-11-1219:15:10

CWE-327

[email protected]

web.nvd.nist.gov

simplexmq

simplex chat

key derivation

forward secrecy

compromise

private key

x3dh

double ratchet protocol

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

35.3%

JSON

SimpleXMQ before 3.4.0, as used in SimpleX Chat before 4.2, does not apply a key derivation function to intended data, which can interfere with forward secrecy and can have other impacts if there is a compromise of a single private key. This occurs in the X3DH key exchange for the double ratchet protocol.

Affected configurations

Nvd

Node

simplexsimplex_chatRange<4.2

simplexsimplexmqRange<3.4.0

VendorProductVersionCPE
simplexsimplex_chat*cpe:2.3:a:simplex:simplex_chat:*:*:*:*:*:*:*:*
simplexsimplexmq*cpe:2.3:a:simplex:simplexmq:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
simplex	simplex_chat	*	cpe:2.3:a:simplex:simplex_chat::::::::
simplex	simplexmq	*	cpe:2.3:a:simplex:simplexmq::::::::

References

github.com/simplex-chat/simplexmq/compare/v3.3.0...v3.4.0

github.com/simplex-chat/simplexmq/pull/548

github.com/trailofbits/publications/blob/master/reviews/SimpleXChat.pdf

simplex.chat/blog/20221108-simplex-chat-v4.2-security-audit-new-website.html

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

35.3%

JSON

Related for NVD:CVE-2022-45195

prion1 osv1 cve1 cvelist1