Lucene search

GoogleOSV:RUSTSEC-2022-0085

HistorySep 29, 2022 - 12:00 p.m.

matrix-sdk Impersonation of room keys

2022-09-2912:00:00

Google

osv.dev

room key validation

impersonation attack

software vulnerability

8.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

0.001 Low

EPSS

Percentile

37.8%

JSON

When the user receives a forwarded room key, the software accepts it without
checking who the room key came from. This allows homeservers to try to insert
room keys of questionable validity, potentially mounting an impersonation attack.

CPENameOperatorVersion
matrix-sdk-cryptolt0.6.0

CPE	Name	Operator	Version
	matrix-sdk-crypto	lt	0.6.0

References

crates.io/crates/matrix-sdk-crypto

github.com/matrix-org/matrix-rust-sdk/commit/093fb5d0aa21c0b5eaea6ec96b477f1075271cbb

github.com/matrix-org/matrix-rust-sdk/commit/41449d2cc360e347f5d4e1c154ec1e3185f11acd

rustsec.org/advisories/RUSTSEC-2022-0085.html

8.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

0.001 Low

EPSS

Percentile

37.8%

JSON

Related for OSV:RUSTSEC-2022-0085