matrix-nio is a Python Matrix client library, designed according to sans I/O principles. Prior to version 0.20, when a users requests a room key from their devices, the software correctly remember the request. Once they receive a forwarded room key, they accept it without checking who the room key came from. This allows homeservers to try to insert room keys of questionable validity, potentially mounting an impersonation attack. Version 0.20 fixes the issue.
References
Link | Resource |
---|---|
https://github.com/poljar/matrix-nio/commit/b1cbf234a831daa160673defd596e6450e9c29f0 | Patch Third Party Advisory |
https://github.com/poljar/matrix-nio/security/advisories/GHSA-w4pr-4vjg-hffh | Third Party Advisory |
Configurations
History
13 Jul 2023, 17:24
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-287 |
NVD-CWE-Other |
03 Oct 2022, 19:42
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:matrix-nio_project:matrix-nio:*:*:*:*:*:*:*:* | |
First Time |
Matrix-nio Project matrix-nio
Matrix-nio Project |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.5 |
References | (CONFIRM) https://github.com/poljar/matrix-nio/security/advisories/GHSA-w4pr-4vjg-hffh - Third Party Advisory | |
References | (MISC) https://github.com/poljar/matrix-nio/commit/b1cbf234a831daa160673defd596e6450e9c29f0 - Patch, Third Party Advisory |
29 Sep 2022, 15:27
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-09-29 15:15
Updated : 2023-12-10 14:35
NVD link : CVE-2022-39254
Mitre link : CVE-2022-39254
CVE.ORG link : CVE-2022-39254
JSON object : View
Products Affected
matrix-nio_project
- matrix-nio
CWE