Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS00cWc0LWN2aDItY3JnZ84AA9_o

matrix-sdk-crypto's `UserIdentity::is_verified` not checking verification status of own user identity while performing the check

The UserIdentity::is_verified() method in the matrix-sdk-crypto crate before version 0.7.2 doesn't take into account the verification status of the user's own identity while performing the check and may as a result return a value contrary to what is implied by its name and documentation.

Impact

If the method is used to decide whether to perform sensitive operations towards a user identity, a malicious homeserver could manipulate the outcome in order to make the identity appear trusted. This is not a typical usage of the method, which lowers the impact. The method itself is not used inside the matrix-sdk-crypto crate.

Patches

The 0.7.2 release of the matrix-sdk-crypto crate includes a fix.

Workarounds

None.

Permalink: https://github.com/advisories/GHSA-4qg4-cvh2-crgg
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00cWc0LWN2aDItY3JnZ84AA9_o
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 6 months ago
Updated: 5 months ago

CVSS Score: 4.8
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

EPSS Percentage: 0.00043
EPSS Percentile: 0.10511

Identifiers: GHSA-4qg4-cvh2-crgg, CVE-2024-40648
References:

• https://github.com/matrix-org/matrix-rust-sdk/security/advisories/GHSA-4qg4-cvh2-crgg
• https://github.com/matrix-org/matrix-rust-sdk/commit/76a7052149bb8f722df12da915b3a06d19a6695a
• https://github.com/matrix-org/matrix-rust-sdk/releases/tag/0.7.2-crypto
• https://nvd.nist.gov/vuln/detail/CVE-2024-40648
• https://rustsec.org/advisories/RUSTSEC-2024-0356.html
• https://github.com/advisories/GHSA-4qg4-cvh2-crgg

Repository: https://github.com/matrix-org/matrix-rust-sdk
Blast Radius: 7.6

Affected Packages