GSA_kwCzR0hTQS1yNXZmLXdmNGgtODJnZ84ABDCl

Moderate EPSS: 0.00054% (0.17063 Percentile) EPSS:

Permalink JSON

matrix-sdk-crypto missing facility to signal rotation of a verified cryptographic identity

Affected Packages	Affected Versions	Fixed Versions
cargo:matrix-sdk-crypto	< 0.8.0	0.8.0
5 Dependent packages 38 Dependent repositories 118,818 Downloads total Affected Version Ranges All affected versions 0.1.0, 0.2.0, 0.3.0, 0.4.0, 0.4.1, 0.5.0, 0.6.0, 0.7.0, 0.7.1, 0.7.2 All unaffected versions 0.8.0, 0.9.0, 0.10.0, 0.11.0, 0.11.1, 0.12.0, 0.13.0

Impact

Versions of the matrix-sdk-crypto Rust crate before 0.8.0 lack a dedicated mechanism to notify that a user's cryptographic identity has changed from a verified to an unverified one, which could cause client applications relying on the SDK to overlook such changes.

Patches

matrix-sdk-crypto 0.8.0 adds a new VerificationLevel::VerificationViolation enum variant which indicates that a previously verified identity has been changed.

References

Patch: https://github.com/matrix-org/matrix-rust-sdk/pull/3795

References:

Identifiers

GHSA-r5vf-wf4h-82gg

CVE-2024-52813

Risk

Severity

Moderate

EPSS

EPSS Percentage: 0.00054

EPSS Percentile: 0.17063

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/matrix-org/matrix-rust-sdk

Date and time

Published

7 months ago

Updated

6 months ago

API

JSON

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories