CVE-2022-39254

EPSS 0.23%
Veröffentlicht 29.09.2022 15:15:10
Zuletzt bearbeitet 21.11.2024 07:17:53
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

matrix-nio is a Python Matrix client library, designed according to sans I/O principles. Prior to version 0.20, when a users requests a room key from their devices, the software correctly remember the request. Once they receive a forwarded room key, they accept it without checking who the room key came from. This allows homeservers to try to insert room keys of questionable validity, potentially mounting an impersonation attack. Version 0.20 fixes the issue.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Matrix-nio Project ≫ Matrix-nio Version < 0.20

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.23%	0.461

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
security-advisories@github.com	8.6	3.9	4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

CWE-322 Key Exchange without Entity Authentication

The product performs a key exchange with an actor without verifying the identity of that actor.

https://github.com/poljar/matrix-nio/commit/b1cbf234a831daa160673defd596e6450e9c29f0

Patch

Third Party Advisory

https://github.com/poljar/matrix-nio/security/advisories/GHSA-w4pr-4vjg-hffh

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-39254

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-39254

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-39254

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2022-39254