GHSA-9ggc-845v-gcgv

Suggest an improvement
Source
https://github.com/advisories/GHSA-9ggc-845v-gcgv
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-9ggc-845v-gcgv/GHSA-9ggc-845v-gcgv.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-9ggc-845v-gcgv
Aliases
Published
2024-05-13T16:04:37Z
Modified
2024-05-19T02:24:46.101440Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
matrix-sdk-crypto contains a log exposure of private key of the server-side key backup
Details

Introduction

In Matrix, the server-side key backup stores encrypted copies of Matrix message keys. This facilitates key sharing between a user's devices and provides a redundant copy in case all devices are lost. The key backup uses asymmetric cryptography, with each server-side key backup assigned a unique public-private key pair.

Impact

Due to a logic bug introduced in https://github.com/matrix-org/matrix-rust-sdk/pull/2961/commits/71136e44c03c79f80d6d1a2446673bc4d53a2067, the matrix-sdk-crypto crate version 0.7.0 will sometimes log the private part of the backup key pair to Rust debug logs (using the tracing crate).

Patches

This issue has been resolved in matrix-sdk-crypto version 0.7.1.

Workarounds

None.

References

For more information

If you have any questions or comments about this advisory, please email us at security at matrix.org.

Database specific 
{
    "nvd_published_at": "2024-05-14T15:38:43Z",
    "cwe_ids": [
        "CWE-532"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-13T16:04:37Z"
}
References

Affected packages

crates.io / matrix-sdk-crypto

Package

Name
matrix-sdk-crypto
View open source insights on deps.dev
Purl
pkg:cargo/matrix-sdk-crypto

Affected ranges

Type
SEMVER
Events
Introduced
0.7.0
Fixed
0.7.1

Affected versions

0.*

0.7.0