CVE-2024-34353
matrix-sdk-crypto contains a log exposure of private key of the server-side key backup
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
The matrix-sdk-crypto crate, part of the Matrix Rust SDK project, is an implementation of a Matrix end-to-end encryption state machine in Rust. In Matrix, the server-side `key backup` stores encrypted copies of Matrix message keys. This facilitates key sharing between a user's devices and provides a redundant copy in case all devices are lost. The key backup uses asymmetric
cryptography, with each server-side key backup assigned a unique public-private key pair. Due to a logic bug introduced in commit 71136e44c03c79f80d6d1a2446673bc4d53a2067, matrix-sdk-crypto version 0.7.0 will sometimes log the private part of the backup key pair to Rust debug logs (using the `tracing` crate). This issue has been resolved in matrix-sdk-crypto version 0.7.1. No known workarounds are available.
La caja Matrix-sdk-crypto, parte del proyecto Matrix Rust SDK, es una implementación de una máquina de estado de cifrado de extremo a extremo de Matrix en Rust. En Matrix, la "copia de seguridad de claves" del lado del servidor almacena copias cifradas de las claves de mensajes de Matrix. Esto facilita el intercambio de claves entre los dispositivos de un usuario y proporciona una copia redundante en caso de que se pierdan todos los dispositivos. La copia de seguridad de claves utiliza criptografía asimétrica, y a cada copia de seguridad de claves del lado del servidor se le asigna un par de claves pública-privada único. Debido a un error lógico introducido en el commit 71136e44c03c79f80d6d1a2446673bc4d53a2067, la versión 0.7.0 de Matrix-sdk-crypto a veces registrará la parte privada del par de claves de respaldo en los registros de depuración de Rust (usando la caja de "rastreo"). Este problema se resolvió en la versión 0.7.1 de Matrix-sdk-crypto. No hay workarounds conocidos disponibles.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-05-02 CVE Reserved
- 2024-05-13 CVE Published
- 2024-05-14 EPSS Updated
- 2024-08-02 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-532: Insertion of Sensitive Information into Log File
CAPEC
References (5)
| URL | Tag | Source |
|---|---|---|
| https://crates.io/crates/matrix-sdk-crypto/0.7.1 | X_refsource_misc | |
| https://github.com/matrix-org/matrix-rust-sdk/commit/71136e44c03c79f80d6d1a2446673bc4d53a2067 | X_refsource_misc | |
| https://github.com/matrix-org/matrix-rust-sdk/commit/fa10bbb5dd0f9120a51aa1854cec752e25790bb0 | X_refsource_misc | |
| https://github.com/matrix-org/matrix-rust-sdk/releases/tag/matrix-sdk-crypto-0.7.1 | X_refsource_misc | |
| https://github.com/matrix-org/matrix-rust-sdk/security/advisories/GHSA-9ggc-845v-gcgv | X_refsource_confirm |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Matrix-org Search vendor "Matrix-org" | Matrix-sdk-crypto Search vendor "Matrix-org" for product "Matrix-sdk-crypto" | 0.7.0 Search vendor "Matrix-org" for product "Matrix-sdk-crypto" and version "0.7.0" | en |
Affected
| ||||||