CVE-2022-39252 — HIGH (8.6)

Q: How severe is CVE-2022-39252?

CVE-2022-39252 has been rated HIGH with a CVSS base score of 8.6/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2022-39252?

Check the references section above for vendor advisories and patch information. Affected products include: Matrix Matrix-Rust-Sdk.

Vulnerability Description

matrix-rust-sdk is an implementation of a Matrix client-server library in Rust, and matrix-sdk-crypto is the Matrix encryption library. Prior to version 0.6, when a user requests a room key from their devices, the software correctly remembers the request. When the user receives a forwarded room key, the software accepts it without checking who the room key came from. This allows homeservers to try to insert room keys of questionable validity, potentially mounting an impersonation attack. Version 0.6 fixes this issue.

CVSS Score

8.6

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Matrix	Matrix-Rust-Sdk	< 0.6

Related Weaknesses (CWE)

CWE-322 CWE-287

References

https://github.com/matrix-org/matrix-rust-sdk/commit/093fb5d0aa21c0b5eaea6ec96b4PatchThird Party Advisory
https://github.com/matrix-org/matrix-rust-sdk/commit/41449d2cc360e347f5d4e1c154ePatchThird Party Advisory
https://github.com/matrix-org/matrix-rust-sdk/releases/tag/matrix-sdk-0.6.0Release NotesThird Party Advisory
https://github.com/matrix-org/matrix-rust-sdk/security/advisories/GHSA-vp68-2wrmThird Party Advisory
https://github.com/matrix-org/matrix-rust-sdk/commit/093fb5d0aa21c0b5eaea6ec96b4PatchThird Party Advisory
https://github.com/matrix-org/matrix-rust-sdk/commit/41449d2cc360e347f5d4e1c154ePatchThird Party Advisory
https://github.com/matrix-org/matrix-rust-sdk/releases/tag/matrix-sdk-0.6.0Release NotesThird Party Advisory
https://github.com/matrix-org/matrix-rust-sdk/security/advisories/GHSA-vp68-2wrmThird Party Advisory

FAQ

What is CVE-2022-39252?

CVE-2022-39252 is a vulnerability with a CVSS score of 8.6 (HIGH). matrix-rust-sdk is an implementation of a Matrix client-server library in Rust, and matrix-sdk-crypto is the Matrix encryption library. Prior to version 0.6, when a user requests a room key from their...

How severe is CVE-2022-39252?

CVE-2022-39252 has been rated HIGH with a CVSS base score of 8.6/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-39252?

Check the references section above for vendor advisories and patch information. Affected products include: Matrix Matrix-Rust-Sdk.