CVE-2024-34353

Source
https://cve.org/CVERecord?id=CVE-2024-34353
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-34353.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-34353
Aliases
Published
2024-05-13T15:43:10.574Z
Modified
2026-07-15T01:49:21.275981546Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
matrix-sdk-crypto contains a log exposure of private key of the server-side key backup
Details

The matrix-sdk-crypto crate, part of the Matrix Rust SDK project, is an implementation of a Matrix end-to-end encryption state machine in Rust. In Matrix, the server-side key backup stores encrypted copies of Matrix message keys. This facilitates key sharing between a user's devices and provides a redundant copy in case all devices are lost. The key backup uses asymmetric cryptography, with each server-side key backup assigned a unique public-private key pair. Due to a logic bug introduced in commit 71136e44c03c79f80d6d1a2446673bc4d53a2067, matrix-sdk-crypto version 0.7.0 will sometimes log the private part of the backup key pair to Rust debug logs (using the tracing crate). This issue has been resolved in matrix-sdk-crypto version 0.7.1. No known workarounds are available.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-532"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/34xxx/CVE-2024-34353.json"
}
References

Affected packages

Git / github.com/matrix-org/matrix-rust-sdk

Affected ranges

Type
GIT
Repo
https://github.com/matrix-org/matrix-rust-sdk
Events
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "= 0.7.0"
        },
        {
            "last_affected": "= 0.7.0"
        }
    ]
}

Affected versions

0.*
0.7.0
0.7.1
= 0.*
= 0.7.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-34353.json"