CVE-2024-40648 in matrix-rust-sdkinfo

Zusammenfassung

von MITRE • 18.07.2024

matrix-rust-sdk is an implementation of a Matrix client-server library in Rust. The `UserIdentity::is_verified()` method in the matrix-sdk-crypto crate before version 0.7.2 doesn't take into account the verification status of the user's own identity while performing the check and may as a result return a value contrary to what is implied by its name and documentation. If the method is used to decide whether to perform sensitive operations towards a user identity, a malicious homeserver could manipulate the outcome in order to make the identity appear trusted. This is not a typical usage of the method, which lowers the impact. The method itself is not used inside the `matrix-sdk-crypto` crate. The 0.7.2 release of the `matrix-sdk-crypto` crate includes a fix. All users are advised to upgrade. There are no known workarounds for this vulnerability.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Zuständig

GitHub M

Reservieren

08.07.2024

Veröffentlichung

18.07.2024

Moderieren

akzeptiert

Eintrag

VDB-271912

CPE

bereit

CWE

CWE-287 (bestätigt)

CVSS

5.4 (CNA)

EPSS

0.00066

KEV

nein

Aktivitäten

very low

Quellen

MITRE	https://www.cve.org/CVERecord?id=CVE-2024-40648
NVD	https://nvd.nist.gov/vuln/detail/CVE-2024-40648
CVE Details	https://www.cvedetails.com/cve/CVE-2024-40648/

◂ Zurück Übersicht Weiter ▸

Do you want to use VulDB in your project?

Use the official API to access entries easily!