CVE-2024-40648
CVSS V2 None
CVSS V3 None
Description
matrix-rust-sdk is an implementation of a Matrix client-server library in Rust. The `UserIdentity::is_verified()` method in the matrix-sdk-crypto crate before version 0.7.2 doesn't take into account the verification status of the user's own identity while performing the check and may as a result return a value contrary to what is implied by its name and documentation. If the method is used to decide whether to perform sensitive operations towards a user identity, a malicious homeserver could manipulate the outcome in order to make the identity appear trusted. This is not a typical usage of the method, which lowers the impact. The method itself is not used inside the `matrix-sdk-crypto` crate. The 0.7.2 release of the `matrix-sdk-crypto` crate includes a fix. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Overview
- CVE ID
- CVE-2024-40648
- Assigner
- GitHub_M
- Vulnerability Status
- PUBLISHED
- Published Version
- 2024-07-18T16:45:56.321Z
- Last Modified Date
- 2024-07-18T17:48:47.443Z
Weakness Enumerations
References
| Reference URL | Reference Tags |
|---|---|
| https://github.com/matrix-org/matrix-rust-sdk/security/advisories/GHSA-4qg4-cvh2-crgg | x_refsource_CONFIRM |
| https://github.com/matrix-org/matrix-rust-sdk/commit/76a7052149bb8f722df12da915b3a06d19a6695a | x_refsource_MISC |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2024-40648 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40648 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2024-07-19 13:03:45 | Added to TrackCVE |