CVE-2021-40823

EPSS 0.26%
Published 13.09.2021 19:15:19
Last modified 21.11.2024 06:24:50
Source cve@mitre.org
Teams watchlist Login
Open Login

A logic error in the room key sharing functionality of matrix-js-sdk (aka Matrix Javascript SDK) before 12.4.1 allows a malicious Matrix homeserver present in an encrypted room to steal room encryption keys (via crafted Matrix protocol messages) that were originally sent by affected Matrix clients participating in that room. This allows the homeserver to decrypt end-to-end encrypted messages sent by affected clients.

Affected products Warnungen 0 Metrics 3 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Matrix ≫ Javascript Sdk Version < 12.4.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.26%	0.465

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5.9	2.2	3.6	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:P/I:N/A:N

CWE-290 Authentication Bypass by Spoofing

This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

https://github.com/matrix-org/matrix-js-sdk/releases/tag/v12.4.1

Third Party Advisory

https://matrix.org/blog/2021/09/13/vulnerability-disclosure-key-sharing

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2021-40823

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-40823

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-40823

EUVD