CVE-2024-40648

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-40648
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-40648.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-40648
Aliases
Related
Published
2024-07-18T17:15:05Z
Modified
2024-10-08T04:20:01.505821Z
Summary
[none]
Details

matrix-rust-sdk is an implementation of a Matrix client-server library in Rust. The UserIdentity::is_verified() method in the matrix-sdk-crypto crate before version 0.7.2 doesn't take into account the verification status of the user's own identity while performing the check and may as a result return a value contrary to what is implied by its name and documentation. If the method is used to decide whether to perform sensitive operations towards a user identity, a malicious homeserver could manipulate the outcome in order to make the identity appear trusted. This is not a typical usage of the method, which lowers the impact. The method itself is not used inside the matrix-sdk-crypto crate. The 0.7.2 release of the matrix-sdk-crypto crate includes a fix. All users are advised to upgrade. There are no known workarounds for this vulnerability.

References

Affected packages

Git / github.com/matrix-org/matrix-rust-sdk

Affected ranges

Type
GIT
Repo
https://github.com/matrix-org/matrix-rust-sdk
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

0.*

0.1.0
0.2.0
0.3.0
0.7.0

Other

0f
matrix-sdk-ffi/20240618
matrix-sdk-ffi/20240704

matrix-qrcode-0.*

matrix-qrcode-0.2.0

matrix-sdk-0.*

matrix-sdk-0.4.0
matrix-sdk-0.4.1
matrix-sdk-0.5.0
matrix-sdk-0.6.0

matrix-sdk-base-0.*

matrix-sdk-base-0.4.0
matrix-sdk-base-0.4.1
matrix-sdk-base-0.5.0
matrix-sdk-base-0.5.1
matrix-sdk-base-0.6.0

matrix-sdk-common-0.*

matrix-sdk-common-0.4.0
matrix-sdk-common-0.4.1
matrix-sdk-common-0.5.0
matrix-sdk-common-0.6.0

matrix-sdk-crypto-0.*

matrix-sdk-crypto-0.4.0
matrix-sdk-crypto-0.4.1
matrix-sdk-crypto-0.5.0
matrix-sdk-crypto-0.6.0

matrix-sdk-crypto-ffi-0.*

matrix-sdk-crypto-ffi-0.1.0
matrix-sdk-crypto-ffi-0.1.1
matrix-sdk-crypto-ffi-0.1.10
matrix-sdk-crypto-ffi-0.1.2
matrix-sdk-crypto-ffi-0.1.3
matrix-sdk-crypto-ffi-0.1.4
matrix-sdk-crypto-ffi-0.1.5
matrix-sdk-crypto-ffi-0.1.6
matrix-sdk-crypto-ffi-0.1.7
matrix-sdk-crypto-ffi-0.1.8
matrix-sdk-crypto-ffi-0.1.9
matrix-sdk-crypto-ffi-0.2.0
matrix-sdk-crypto-ffi-0.2.1
matrix-sdk-crypto-ffi-0.3.0
matrix-sdk-crypto-ffi-0.3.1
matrix-sdk-crypto-ffi-0.3.10
matrix-sdk-crypto-ffi-0.3.11
matrix-sdk-crypto-ffi-0.3.12
matrix-sdk-crypto-ffi-0.3.13
matrix-sdk-crypto-ffi-0.3.2
matrix-sdk-crypto-ffi-0.3.4
matrix-sdk-crypto-ffi-0.3.5
matrix-sdk-crypto-ffi-0.3.6
matrix-sdk-crypto-ffi-0.3.7
matrix-sdk-crypto-ffi-0.3.8
matrix-sdk-crypto-ffi-0.3.9
matrix-sdk-crypto-ffi-0.4.0
matrix-sdk-crypto-ffi-0.4.1
matrix-sdk-crypto-ffi-0.4.2

matrix-sdk-crypto-js-0.*

matrix-sdk-crypto-js-0.1.0
matrix-sdk-crypto-js-0.1.0-alpha.10
matrix-sdk-crypto-js-0.1.0-alpha.6
matrix-sdk-crypto-js-0.1.0-alpha.8
matrix-sdk-crypto-js-0.1.0-alpha.9
matrix-sdk-crypto-js-0.1.2
matrix-sdk-crypto-js-0.1.3
matrix-sdk-crypto-js-0.1.4

matrix-sdk-crypto-js-v0.*

matrix-sdk-crypto-js-v0.1.0-alpha.0
matrix-sdk-crypto-js-v0.1.0-alpha.1
matrix-sdk-crypto-js-v0.1.0-alpha.2
matrix-sdk-crypto-js-v0.1.0-alpha.3
matrix-sdk-crypto-js-v0.1.0-alpha.4
matrix-sdk-crypto-js-v0.1.0-alpha.5
matrix-sdk-crypto-js-v0.1.0-alpha.6

matrix-sdk-crypto-nodejs-v0.*

matrix-sdk-crypto-nodejs-v0.1.0-beta.0

matrix-sdk-indexeddb-0.*

matrix-sdk-indexeddb-0.1.0
matrix-sdk-indexeddb-0.2.0

matrix-sdk-qrcode-0.*

matrix-sdk-qrcode-0.3.0
matrix-sdk-qrcode-0.4.0

matrix-sdk-sled-0.*

matrix-sdk-sled-0.1.0
matrix-sdk-sled-0.2.0

matrix-sdk-store-encryption-0.*

matrix-sdk-store-encryption-0.1.0
matrix-sdk-store-encryption-0.2.0

matrix-sdk-test-0.*

matrix-sdk-test-0.4.0
matrix-sdk-test-0.5.0
matrix-sdk-test-0.6.0

matrix-sdk-test-macros-0.*

matrix-sdk-test-macros-0.2.0