5.9

CVE-2021-40824

EPSS 0.24%
Published 13.09.2021 19:15:19
Last modified 21.11.2024 06:24:50
Source cve@mitre.org
Teams watchlist Login
Open Login

A logic error in the room key sharing functionality of Element Android before 1.2.2 and matrix-android-sdk2 (aka Matrix SDK for Android) before 1.2.2 allows a malicious Matrix homeserver present in an encrypted room to steal room encryption keys (via crafted Matrix protocol messages) that were originally sent by affected Matrix clients participating in that room. This allows the attacker to decrypt end-to-end encrypted messages sent by affected clients.

Affected products Warnungen 0 Metrics 3 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Matrix ≫ Element SwPlatformandroid Version < 1.2.2

Matrix ≫ Matrix-android-sdk2 SwPlatformandroid Version < 1.2.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.24%	0.441

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5.9	2.2	3.6	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:P/I:N/A:N

CWE-290 Authentication Bypass by Spoofing

This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

https://matrix.org/blog/2021/09/13/vulnerability-disclosure-key-sharing

Vendor Advisory

https://github.com/matrix-org/matrix-android-sdk2/releases/tag/v1.2.2

Patch

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2021-40824

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-40824

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-40824

EUVD