Lucene search
Veracode Vulnerability DatabaseVERACODE:37321HistorySep 29, 2022 - 3:47 a.m.
Impersonation Via Forwarded Megolm Sessions
2022-09-2903:47:56
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
10
matrixsdk
vulnerability
impersonation
megolm sessions
0.001 Low
EPSS
Percentile
37.8%
MatrixSDK is vulnerable to impersonation via forwarded Megolm sessions. The use of a too permissive key forwarding strategy in MatrixSDK allows an attacker having coordination with a malicious homeserver to construct messages appearing to have come from another person and the default policy for accepting key forwards fails to check if forwarded keys in response to previously issued requests.
References
github.com/matrix-org/matrix-ios-sdk/commit/5ca86c328a5faaab429c240551cb9ca8f0f6262c
github.com/matrix-org/matrix-ios-sdk/releases/tag/v0.23.19
github.com/matrix-org/matrix-ios-sdk/security/advisories/GHSA-qxr3-5jmq-xcf4
matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients
Related
osv
osv
CVE-2022-39257
2022-09-28 21:15:14
nvd
nvd
CVE-2022-39257
2022-09-28 21:15:14
prion
prion
Design/Logic Flaw
2022-09-28 21:15:00
cvelist
cvelist
cve
cve
CVE-2022-39257
2022-09-28 21:15:14