Lucene search
Veracode Vulnerability DatabaseVERACODE:37330HistorySep 29, 2022 - 6:54 a.m.
Cross-site Scripting (XSS)
2022-09-2906:54:41
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
5
matrix android sdk
vulnerability
mxmegolmdecryption.kt
protocol confusion
fake to-device messages
key backup secret
self-verification
software
0.001 Low
EPSS
Percentile
37.8%
Matrix Android SDK 2 is vulnerable to cross-site scripting.The vulnerability exists in multiple functions in MXMegolmDecryption.kt due to a protocol confusion in order to send fake to-device messages which allows an attacker to inject the key backup secret during a self-verification.
| CPE | Name | Operator | Version |
|---|---|---|---|
| matrix android sdk 2 | le | 1.4.36 | |
| matrix android sdk 2 | le | 1.4.36 |
References
github.com/matrix-org/matrix-android-sdk2/commit/77df720a238d17308deab83ecaa37f7a4740a17e
github.com/matrix-org/matrix-android-sdk2/releases/tag/v1.5.1
github.com/matrix-org/matrix-android-sdk2/security/advisories/GHSA-fpgf-pjjv-2qgm
matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients
Related
nvd
nvd
CVE-2022-39248
2022-09-28 20:15:15
cvelist
cvelist
osv
osv
matrix-android-sdk2 vulnerable to Olm/Megolm protocol confusion
2022-09-30 04:37:39
CVE-2022-39248
2022-09-28 20:15:15
github
github
matrix-android-sdk2 vulnerable to Olm/Megolm protocol confusion
2022-09-30 04:37:39
prion
prion
Design/Logic Flaw
2022-09-28 20:15:00
cve
cve
CVE-2022-39248
2022-09-28 20:15:15