CVE-2024-40648 – matrix-sdk-crypto

Package

Manager: cargo
Name: matrix-sdk-crypto
Vulnerable Version: >=0 <0.7.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00063 pctl0.19936

Details

matrix-sdk-crypto's `UserIdentity::is_verified` not checking verification status of own user identity while performing the check The `UserIdentity::is_verified()` method in the matrix-sdk-crypto crate before version 0.7.2 doesn't take into account the verification status of the user's own identity while performing the check and may as a result return a value contrary to what is implied by its name and documentation. ### Impact If the method is used to decide whether to perform sensitive operations towards a user identity, a malicious homeserver could manipulate the outcome in order to make the identity appear trusted. This is not a typical usage of the method, which lowers the impact. The method itself is not used inside the `matrix-sdk-crypto` crate. ### Patches The 0.7.2 release of the `matrix-sdk-crypto` crate includes a fix. ### Workarounds None.

Metadata

Created: 2024-07-18T15:28:07Z
Modified: 2024-07-19T15:27:44Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-4qg4-cvh2-crgg/GHSA-4qg4-cvh2-crgg.json
CWE IDs: ["CWE-287", "CWE-863"]
Alternative ID: GHSA-4qg4-cvh2-crgg
Finding: F006
Auto approve: 1