CVE-2022-39248

Source
https://nvd.nist.gov/vuln/detail/CVE-2022-39248
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-39248.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-39248
Aliases
Withdrawn
2024-09-03T02:02:24.752502Z
Published
2022-09-28T20:15:15Z
Modified
2024-09-02T01:12:16.959743Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
[none]
Details

matrix-android-sdk2 is the Matrix SDK for Android. Prior to version 1.5.1, an attacker cooperating with a malicious homeserver can construct messages that legitimately appear to have come from another person, without any indication such as a grey shield. Additionally, a sophisticated attacker cooperating with a malicious homeserver could employ this vulnerability to perform a targeted attack in order to send fake to-device messages appearing to originate from another user. This can allow, for example, to inject the key backup secret during a self-verification, to make a targeted device start using a malicious key backup spoofed by the homeserver. matrix-android-sdk2 would then additionally sign such a key backup with its device key, spilling trust over to other devices trusting the matrix-android-sdk2 device. These attacks are possible due to a protocol confusion vulnerability that accepts to-device messages encrypted with Megolm instead of Olm. matrix-android-sdk2 version 1.5.1 has been modified to only accept Olm-encrypted to-device messages and to stop signing backups on a successful decryption. Out of caution, several other checks have been audited or added. This attack requires coordination between a malicious home server and an attacker, so those who trust their home servers do not need a workaround.

References

Affected packages

Git / github.com/matrix-org/matrix-android-sdk2

Affected ranges

Type
GIT
Repo
https://github.com/matrix-org/matrix-android-sdk2
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

v0.*

v0.0.1

v1.*

v1.0.10
v1.0.11
v1.0.12
v1.0.13
v1.0.16
v1.0.5
v1.0.6
v1.0.7
v1.0.9
v1.1.1
v1.1.4
v1.1.5
v1.1.8
v1.1.9
v1.2.0
v1.2.0-RC1
v1.2.0-RC2
v1.2.0-RC3
v1.2.1
v1.2.2
v1.3.0
v1.3.10
v1.3.13
v1.3.14
v1.3.18
v1.3.2
v1.3.4
v1.3.7
v1.3.8
v1.3.9
v1.4.11
v1.4.13
v1.4.14
v1.4.16
v1.4.2
v1.4.25
v1.4.27
v1.4.32
v1.4.4