CVE-2021-40824

Опубликовано: 13 сент. 2021

Источник: nvd

CVSS3: 5.9

CVSS2: 4.3

EPSS Низкий

Описание

A logic error in the room key sharing functionality of Element Android before 1.2.2 and matrix-android-sdk2 (aka Matrix SDK for Android) before 1.2.2 allows a malicious Matrix homeserver present in an encrypted room to steal room encryption keys (via crafted Matrix protocol messages) that were originally sent by affected Matrix clients participating in that room. This allows the attacker to decrypt end-to-end encrypted messages sent by affected clients.

Ссылки

https://github.com/matrix-org/matrix-android-sdk2/releases/tag/v1.2.2
Patch
Third Party Advisory
https://matrix.org/blog/2021/09/13/vulnerability-disclosure-key-sharing
Vendor Advisory
https://github.com/matrix-org/matrix-android-sdk2/releases/tag/v1.2.2
Patch
Third Party Advisory
https://matrix.org/blog/2021/09/13/vulnerability-disclosure-key-sharing
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:matrix:element:*:*:*:*:*:android:*:*

Версия до 1.2.2 (исключая)

cpe:2.3:a:matrix:matrix-android-sdk2:*:*:*:*:*:android:*:*

Версия до 1.2.2 (исключая)

EPSS

Процентиль: 47%

0.00239

Низкий

5.9 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-290

Связанные уязвимости

GHSA-jjmc-4p83-pp26