- Reported
-
- Issued
-
- Package
-
matrix-sdk-crypto
(crates.io)
- Type
-
Vulnerability
- Aliases
-
- References
-
- CVSS Score
- 4.9
MEDIUM
- CVSS Details
-
- Attack vector
- Network
- Attack complexity
- Low
- Privileges required
- High
- User interaction
- None
- Scope
- Unchanged
- Confidentiality
- None
- Integrity
- High
- Availability
- None
- CVSS Vector
- CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
- Patched
-
- Unaffected
-
Description
matrix-sdk-crypto versions 0.8.0 up to and including 0.11.0 does not correctly validate
the sender of an encrypted event. Accordingly, a malicious homeserver operator
can modify events served to clients, making those events appear to the recipient
as if they were sent by another user.
Although the CVSS score is 4.9 (AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N), we
consider this a High severity security issue.
Advisory available under CC0-1.0
license.