8.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
0.001 Low
EPSS
Percentile
19.6%
matrix-nio is a Python Matrix client library, designed according to sans
I/O principles. Prior to version 0.20, when a users requests a room key
from their devices, the software correctly remember the request. Once they
receive a forwarded room key, they accept it without checking who the room
key came from. This allows homeservers to try to insert room keys of
questionable validity, potentially mounting an impersonation attack.
Version 0.20 fixes the issue.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 22.04 | noarch | python-matrix-nio | < any | UNKNOWN |
ubuntu | 23.10 | noarch | python-matrix-nio | < any | UNKNOWN |
ubuntu | 24.04 | noarch | python-matrix-nio | < any | UNKNOWN |
github.com/poljar/matrix-nio/commit/b1cbf234a831daa160673defd596e6450e9c29f0
github.com/poljar/matrix-nio/security/advisories/GHSA-w4pr-4vjg-hffh
launchpad.net/bugs/cve/CVE-2022-39254
nvd.nist.gov/vuln/detail/CVE-2022-39254
security-tracker.debian.org/tracker/CVE-2022-39254
www.cve.org/CVERecord?id=CVE-2022-39254