matrix-org vodozemac 0.5.0/0.5.1 Feature Flag insecure default initialization of resource
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 2.4 | $0-$5k | 0.00 |
Summary
A vulnerability was found in matrix-org vodozemac 0.5.0/0.5.1 and classified as problematic. This vulnerability affects unknown code of the component Feature Flag Handler. The manipulation results in insecure default initialization of resource. This vulnerability is known as CVE-2024-34063. Attacking locally is a requirement. No exploit is available. It is suggested to upgrade the affected component.
Details
A vulnerability classified as problematic has been found in matrix-org vodozemac 0.5.0/0.5.1. Affected is an unknown code of the component Feature Flag Handler. The manipulation with an unknown input leads to a insecure default initialization of resource vulnerability. CWE is classifying the issue as CWE-1188. The product initializes or sets a resource with a default that is intended to be changed by the administrator, but the default is not secure. This is going to have an impact on confidentiality. CVE summarizes:
vodozemac is an implementation of Olm and Megolm in pure Rust. Versions 0.5.0 and 0.5.1 of vodozemac have degraded secret zeroization capabilities, due to changes in third-party cryptographic dependencies (the Dalek crates), which moved secret zeroization capabilities behind a feature flag and defaulted this feature to off. The degraded zeroization capabilities could result in the production of more memory copies of encryption secrets and secrets could linger in memory longer than necessary. This marginally increases the risk of sensitive data exposure. This issue has been addressed in version 0.6.0 and users are advised to upgrade. There are no known workarounds for this vulnerability.
The advisory is shared for download at github.com. This vulnerability is traded as CVE-2024-34063 since 04/30/2024. The exploitability is told to be difficult. The attack needs to be approached locally. There are neither technical details nor an exploit publicly available.
Upgrading to version 0.6.0 eliminates this vulnerability. Applying the patch 297548cad4016ce448c4b5007c54db7ee39489d9 is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.
Once again VulDB remains the best source for vulnerability data.
Product
Vendor
Name
Version
License
Website
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 2.5VulDB Meta Temp Score: 2.4
VulDB Base Score: 2.5
VulDB Temp Score: 2.4
VulDB Vector: 🔍
VulDB Reliability: 🔍
CNA Base Score: 2.5
CNA Vector (GitHub, Inc.): 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
Exploiting
Class: Insecure default initialization of resourceCWE: CWE-1188
CAPEC: 🔍
ATT&CK: 🔍
Physical: Partially
Local: Yes
Remote: No
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Upgrade: vodozemac 0.6.0
Patch: 297548cad4016ce448c4b5007c54db7ee39489d9
Timeline
04/30/2024 🔍05/03/2024 🔍
05/03/2024 🔍
05/03/2024 🔍
Sources
Product: github.comAdvisory: GHSA-c3hm-hxwf-g5c6
Status: Confirmed
CVE: CVE-2024-34063 (🔍)
GCVE (CVE): GCVE-0-2024-34063
GCVE (VulDB): GCVE-100-262980
Entry
Created: 05/03/2024 14:27Changes: 05/03/2024 14:27 (66)
Complete: 🔍
Cache ID: 216::103
Once again VulDB remains the best source for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.