What is CVE-2022-39252?

CVE-2022-39252 is a vulnerability in the matrix-rust-sdk and matrix-sdk-crypto libraries, prior to version 0.6, that allows an attacker to bypass encryption and obtain room keys.

How severe is CVE-2022-39252?

CVE-2022-39252 has a high severity rating with a CVSS score of 7.5.

Which software is affected by CVE-2022-39252?

The affected software is Matrix-rust-sdk version up to exclusive 0.6.

How can an attacker exploit CVE-2022-39252?

An attacker can exploit CVE-2022-39252 by requesting a room key and receiving a forwarded room key, bypassing encryption.

How can CVE-2022-39252 be fixed?

CVE-2022-39252 can be fixed by upgrading to version 0.6 or higher of the Matrix-rust-sdk library.

Vulnerability/
CVE-2022-39252

high

8.6

CWE

287 322

29/9/2022

3/8/2024

CVE-2022-39252: When matrix-rust-sdk recieves forwarded room keys, the reciever doesn't check if it requested the key from the forwarder

First published: Thu Sep 29 2022(Updated: )

matrix-rust-sdk is an implementation of a Matrix client-server library in Rust, and matrix-sdk-crypto is the Matrix encryption library. Prior to version 0.6, when a user requests a room key from their devices, the software correctly remembers the request. When the user receives a forwarded room key, the software accepts it without checking who the room key came from. This allows homeservers to try to insert room keys of questionable validity, potentially mounting an impersonation attack. Version 0.6 fixes this issue.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Matrix Matrix-rust-sdk	<0.6

Remedy

https://github.com/matrix-org/matrix-rust-sdk/commit/093fb5d0aa21c0b5eaea6ec96b477f1075271cbb

Remedy

https://github.com/matrix-org/matrix-rust-sdk/commit/41449d2cc360e347f5d4e1c154ec1e3185f11acd

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2022-39252?
CVE-2022-39252 is a vulnerability in the matrix-rust-sdk and matrix-sdk-crypto libraries, prior to version 0.6, that allows an attacker to bypass encryption and obtain room keys.
How severe is CVE-2022-39252?
CVE-2022-39252 has a high severity rating with a CVSS score of 7.5.
Which software is affected by CVE-2022-39252?
The affected software is Matrix-rust-sdk version up to exclusive 0.6.
How can an attacker exploit CVE-2022-39252?
An attacker can exploit CVE-2022-39252 by requesting a room key and receiving a forwarded room key, bypassing encryption.
How can CVE-2022-39252 be fixed?
CVE-2022-39252 can be fixed by upgrading to version 0.6 or higher of the Matrix-rust-sdk library.

collector/nvd-index
agent/references
agent/type
agent/weakness
agent/remedy
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/severity
agent/author
agent/title
agent/tags
agent/description
agent/first-publish-date
agent/event
vendor/matrix
canonical/matrix matrix-rust-sdk

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.