CVE-2024-34353

The matrix-sdk-crypto crate, part of the Matrix Rust SDK project, is an implementation of a Matrix end-to-end encryption state machine in Rust. In Matrix, the server-side `key backup` stores encrypted copies of Matrix message keys. This facilitates key sharing between a user's devices and provides a redundant copy in case all devices are lost. The key backup uses asymmetric cryptography, with each server-side key backup assigned a unique public-private key pair. Due to a logic bug introduced in commit 71136e44c03c79f80d6d1a2446673bc4d53a2067, matrix-sdk-crypto version 0.7.0 will sometimes log the private part of the backup key pair to Rust debug logs (using the `tracing` crate). This issue has been resolved in matrix-sdk-crypto version 0.7.1. No known workarounds are available.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://crates.io/crates/matrix-sdk-crypto/0.7.1
https://github.com/matrix-org/matrix-rust-sdk/commit/71136e44c03c79f80d6d1a2446673bc4d53a2067
https://github.com/matrix-org/matrix-rust-sdk/commit/fa10bbb5dd0f9120a51aa1854cec752e25790bb0
https://github.com/matrix-org/matrix-rust-sdk/releases/tag/matrix-sdk-crypto-0.7.1
https://github.com/matrix-org/matrix-rust-sdk/security/advisories/GHSA-9ggc-845v-gcgv
https://crates.io/crates/matrix-sdk-crypto/0.7.1
https://github.com/matrix-org/matrix-rust-sdk/commit/71136e44c03c79f80d6d1a2446673bc4d53a2067
https://github.com/matrix-org/matrix-rust-sdk/commit/fa10bbb5dd0f9120a51aa1854cec752e25790bb0
https://github.com/matrix-org/matrix-rust-sdk/releases/tag/matrix-sdk-crypto-0.7.1
https://github.com/matrix-org/matrix-rust-sdk/security/advisories/GHSA-9ggc-845v-gcgv

Configurations

No configuration.

History

21 Nov 2024, 09:18

Type	Values Removed	Values Added
Summary		(es) La caja Matrix-sdk-crypto, parte del proyecto Matrix Rust SDK, es una implementación de una máquina de estado de cifrado de extremo a extremo de Matrix en Rust. En Matrix, la "copia de seguridad de claves" del lado del servidor almacena copias cifradas de las claves de mensajes de Matrix. Esto facilita el intercambio de claves entre los dispositivos de un usuario y proporciona una copia redundante en caso de que se pierdan todos los dispositivos. La copia de seguridad de claves utiliza criptografía asimétrica, y a cada copia de seguridad de claves del lado del servidor se le asigna un par de claves pública-privada único. Debido a un error lógico introducido en el commit 71136e44c03c79f80d6d1a2446673bc4d53a2067, la versión 0.7.0 de Matrix-sdk-crypto a veces registrará la parte privada del par de claves de respaldo en los registros de depuración de Rust (usando la caja de "rastreo"). Este problema se resolvió en la versión 0.7.1 de Matrix-sdk-crypto. No hay workarounds conocidos disponibles.
References	~~() https://crates.io/crates/matrix-sdk-crypto/0.7.1 -~~	() https://crates.io/crates/matrix-sdk-crypto/0.7.1 -
References	~~() https://github.com/matrix-org/matrix-rust-sdk/commit/71136e44c03c79f80d6d1a2446673bc4d53a2067 -~~	() https://github.com/matrix-org/matrix-rust-sdk/commit/71136e44c03c79f80d6d1a2446673bc4d53a2067 -
References	~~() https://github.com/matrix-org/matrix-rust-sdk/commit/fa10bbb5dd0f9120a51aa1854cec752e25790bb0 -~~	() https://github.com/matrix-org/matrix-rust-sdk/commit/fa10bbb5dd0f9120a51aa1854cec752e25790bb0 -
References	~~() https://github.com/matrix-org/matrix-rust-sdk/releases/tag/matrix-sdk-crypto-0.7.1 -~~	() https://github.com/matrix-org/matrix-rust-sdk/releases/tag/matrix-sdk-crypto-0.7.1 -
References	~~() https://github.com/matrix-org/matrix-rust-sdk/security/advisories/GHSA-9ggc-845v-gcgv -~~	() https://github.com/matrix-org/matrix-rust-sdk/security/advisories/GHSA-9ggc-845v-gcgv -

14 May 2024, 16:17

Type	Values Removed	Values Added
Summary	(en) matrix-rust-sdk is an implementation of a Matrix client-server library in Rust. In Matrix, the server-side key backup stores encrypted copies of Matrix message keys. This facilitates key sharing between a user's devices and provides a redundant copy in case all devices are lost. The key backup uses asymmetric cryptography, with each server-side key backup assigned a unique public-private key pair. Due to a logic bug introduced in commit 71136e44c03c79f80d6d1a2446673bc4d53a2067, the Matrix Rust SDK version 0.7.0 will sometimes log the private part of the backup key pair to Rust debug logs (using the `tracing` crate). This issue has been resolved in the Matrix Rust SDK version 0.7.1. No known workarounds are available.	(en) The matrix-sdk-crypto crate, part of the Matrix Rust SDK project, is an implementation of a Matrix end-to-end encryption state machine in Rust. In Matrix, the server-side `key backup` stores encrypted copies of Matrix message keys. This facilitates key sharing between a user's devices and provides a redundant copy in case all devices are lost. The key backup uses asymmetric cryptography, with each server-side key backup assigned a unique public-private key pair. Due to a logic bug introduced in commit 71136e44c03c79f80d6d1a2446673bc4d53a2067, matrix-sdk-crypto version 0.7.0 will sometimes log the private part of the backup key pair to Rust debug logs (using the `tracing` crate). This issue has been resolved in matrix-sdk-crypto version 0.7.1. No known workarounds are available.

14 May 2024, 15:38

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-05-14 15:38

Updated : 2024-11-21 09:18

NVD link : CVE-2024-34353

Mitre link : CVE-2024-34353

CVE.ORG link : CVE-2024-34353

JSON object : View

Products Affected

No product.

CWE

CWE-532

Insertion of Sensitive Information into Log File

5.5 /10