CVE-2022-41904

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2022-41904

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-41904.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2022-41904

Aliases

GHSA-fm8m-99j7-323g

Published

2022-11-11T00:00:00Z

Modified

2026-04-10T04:52:07.873718Z

Severity

6.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N CVSS Calculator

Summary

Element iOS is vulnerable due to missing decoration for events decrypted with untrusted Megolm sessions

Details

Element iOS is an iOS Matrix client provided by Element. It is based on MatrixSDK. Prior to version 1.9.7, events encrypted using Megolm for which trust could not be established did not get decorated accordingly (with warning shields). Therefore a malicious homeserver could inject messages into the room without the user being alerted that the messages were not sent by a verified group member, even if the user has previously verified all group members. This issue has been patched in Element iOS 1.9.7. There are currently no known workarounds.

Database specific

{
    "cwe_ids": [
        "CWE-357"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/41xxx/CVE-2022-41904.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/element-hq/element-ios

Affected ranges

Type: GIT
Repo: https://github.com/element-hq/element-ios
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

431e48d296b21cbfe1be213f98b000b4575d7312

Affected versions

v0.*

v0.1.13

v0.1.14

v0.1.15

v0.1.16

v0.1.x

v0.10.0

v0.10.1

v0.10.2

v0.10.4

v0.10.5

v0.11.0

v0.11.1

v0.11.4

v0.11.5

v0.2.0

v0.2.1

v0.2.2

v0.2.3

v0.3.0

v0.3.10

v0.3.11

v0.3.13

v0.3.2

v0.3.3

v0.3.4

v0.3.5

v0.3.6

v0.3.7

v0.3.8

v0.3.9

v0.4.0

v0.4.1

v0.4.2

v0.4.3

v0.5.1

v0.5.2

v0.5.3

v0.5.4

v0.5.5

v0.6.0

v0.6.1

v0.6.10

v0.6.12

v0.6.13

v0.6.14

v0.6.15

v0.6.16

v0.6.17

v0.6.18

v0.6.19

v0.6.2

v0.6.20

v0.6.3

v0.6.4

v0.6.9

v0.7.0

v0.7.1

v0.7.10

v0.7.11

v0.7.2

v0.7.3

v0.7.4

v0.7.5

v0.7.6

v0.7.7

v0.7.8

v0.7.9

v0.8.0

v0.8.1

v0.8.2

v0.8.3

v0.8.4

v0.8.5

v0.8.6

v0.9.0

v0.9.1

v0.9.2

v0.9.3

v0.9.4

v0.9.5

v1.*

v1.0.1

v1.0.10

v1.0.11

v1.0.12

v1.0.13

v1.0.14

v1.0.15

v1.0.16

v1.0.17

v1.0.18

v1.0.2

v1.0.3

v1.0.4

v1.0.5

v1.0.6

v1.0.7

v1.0.8

v1.0.9

v1.1.0

v1.1.1

v1.1.2

v1.1.3

v1.1.4

v1.1.5

v1.1.6

v1.1.7

v1.2.0

v1.2.1

v1.2.2

v1.2.3

v1.2.4

v1.2.5

v1.2.6

v1.2.7

v1.2.8

v1.3.0

v1.3.1

v1.3.2

v1.3.3

v1.3.4

v1.3.5

v1.3.6

v1.3.7

v1.4.0

v1.4.2

v1.4.3

v1.4.4

v1.4.6

v1.4.7

v1.4.8

v1.4.9

v1.5.0

v1.5.1

v1.5.2

v1.5.3

v1.5.4

v1.6.0

v1.6.1

v1.6.10

v1.6.11

v1.6.12

v1.6.2

v1.6.4

v1.6.5

v1.6.6

v1.6.8

v1.6.9

v1.7.0

v1.8.0

v1.8.1

v1.8.10

v1.8.11

v1.8.12

v1.8.13

v1.8.14

v1.8.15

v1.8.16

v1.8.17

v1.8.18

v1.8.19

v1.8.2

v1.8.20

v1.8.21

v1.8.22

v1.8.23

v1.8.24

v1.8.25

v1.8.26

v1.8.27

v1.8.3

v1.8.4

v1.8.5

v1.8.6

v1.8.7

v1.8.8

v1.8.9

v1.9.0

v1.9.1

v1.9.2

v1.9.3

v1.9.4

v1.9.5

v1.9.6

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-41904.json"

Git / github.com/vector-im/element-ios