Logging of Private Backup Key in Matrix Rust SDK Version 0.7.0
CVE-2024-34353

5.5MEDIUM

Key Information:

Vendor

Matrix-org

Status
Matrix-sdk-crypto
Vendor
CVE Published:
14 May 2024

What is CVE-2024-34353?

The matrix-sdk-crypto crate, part of the Matrix Rust SDK project, is an implementation of a Matrix end-to-end encryption state machine in Rust. In Matrix, the server-side key backup stores encrypted copies of Matrix message keys. This facilitates key sharing between a user's devices and provides a redundant copy in case all devices are lost. The key backup uses asymmetric cryptography, with each server-side key backup assigned a unique public-private key pair. Due to a logic bug introduced in commit 71136e44c03c79f80d6d1a2446673bc4d53a2067, matrix-sdk-crypto version 0.7.0 will sometimes log the private part of the backup key pair to Rust debug logs (using the tracing crate). This issue has been resolved in matrix-sdk-crypto version 0.7.1. No known workarounds are available.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

matrix-sdk-crypto = 0.7.0

References

https://github.com/matrix-org/matrix-rust-sdk/security/ad...
x_refsource_CONFIRM
https://github.com/matrix-org/matrix-rust-sdk/commit/7113...
x_refsource_MISC
https://github.com/matrix-org/matrix-rust-sdk/commit/fa10...
x_refsource_MISC

CVSS V3.1

Score:
5.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.