CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52813 – matrix-sdk-crypto missing facility to signal rotation of a verified cryptographic identity
https://notcve.org/view.php?id=CVE-2024-52813
07 Jan 2025 — matrix-rust-sdk is an implementation of a Matrix client-server library in Rust. Versions of the matrix-sdk-crypto Rust crate before 0.8.0 lack a dedicated mechanism to notify that a user's cryptographic identity has changed from a verified to an unverified one, which could cause client applications relying on the SDK to overlook such changes. matrix-sdk-crypto 0.8.0 adds a new VerificationLevel::VerificationViolation enum variant which indicates that a previously verified identity has been changed. • https://github.com/matrix-org/matrix-rust-sdk/pull/3795 • CWE-223: Omission of Security-relevant Information •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-40648 – `UserIdentity::is_verified` not checking verification status of own user identity while performing the check in matrix-rust-sdk
https://notcve.org/view.php?id=CVE-2024-40648
18 Jul 2024 — matrix-rust-sdk is an implementation of a Matrix client-server library in Rust. The `UserIdentity::is_verified()` method in the matrix-sdk-crypto crate before version 0.7.2 doesn't take into account the verification status of the user's own identity while performing the check and may as a result return a value contrary to what is implied by its name and documentation. If the method is used to decide whether to perform sensitive operations towards a user identity, a malicious homeserver could manipulate the ... • https://github.com/matrix-org/matrix-rust-sdk/commit/76a7052149bb8f722df12da915b3a06d19a6695a • CWE-287: Improper Authentication •
CVSS: 8.6EPSS: 0%CPEs: 1EXPL: 0CVE-2022-39252 – When matrix-rust-sdk recieves forwarded room keys, the reciever doesn't check if it requested the key from the forwarder
https://notcve.org/view.php?id=CVE-2022-39252
29 Sep 2022 — matrix-rust-sdk is an implementation of a Matrix client-server library in Rust, and matrix-sdk-crypto is the Matrix encryption library. Prior to version 0.6, when a user requests a room key from their devices, the software correctly remembers the request. When the user receives a forwarded room key, the software accepts it without checking who the room key came from. This allows homeservers to try to insert room keys of questionable validity, potentially mounting an impersonation attack. Version 0.6 fixes t... • https://github.com/matrix-org/matrix-rust-sdk/commit/093fb5d0aa21c0b5eaea6ec96b477f1075271cbb • CWE-287: Improper Authentication CWE-322: Key Exchange without Entity Authentication •