CVE Vulnerability

CVE-2022-39254

matrix-nio is a Python Matrix client library, designed according to sans I/O principles. Prior to version 0.20, when a users requests a room key from their devices, the software correctly remember the request. Once they receive a forwarded room key, they accept it without checking who the room key came from. This allows homeservers to try to insert room keys of questionable validity, potentially mounting an impersonation attack. Version 0.20 fixes the issue.

6.5 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/poljar/matrix-nio/security/advisories/GHSA-w4pr-4vjg-hffh Third Party Advisory
https://github.com/poljar/matrix-nio/commit/b1cbf234a831daa160673defd596e6450e9c29f0 Patch Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:matrix-nio_project:matrix-nio:*:*:*:*:*:*:*:*
Information

Published : 2022-09-29 03:15

Updated : 2022-10-03 07:42

NVD link : CVE-2022-39254

Mitre link : CVE-2022-39254

Products Affected
No products.
CWE
CWE-287

CWE-322