Logging of Private Backup Key in Matrix Rust SDK Version 0.7.0
CVE-2024-34353

5.5MEDIUM

Key Information:

Vendor: Matrix-org
Status: Matrix-sdk-crypto
Vendor: CVE Published:; 14 May 2024

What is CVE-2024-34353?

The matrix-sdk-crypto crate, part of the Matrix Rust SDK project, is an implementation of a Matrix end-to-end encryption state machine in Rust. In Matrix, the server-side key backup stores encrypted copies of Matrix message keys. This facilitates key sharing between a user's devices and provides a redundant copy in case all devices are lost. The key backup uses asymmetric cryptography, with each server-side key backup assigned a unique public-private key pair. Due to a logic bug introduced in commit 71136e44c03c79f80d6d1a2446673bc4d53a2067, matrix-sdk-crypto version 0.7.0 will sometimes log the private part of the backup key pair to Rust debug logs (using the tracing crate). This issue has been resolved in matrix-sdk-crypto version 0.7.1. No known workarounds are available.

Affected Version(s)

matrix-sdk-crypto = 0.7.0

References

https://github.com/matrix-org/matrix-rust-sdk/security/ad...

x_refsource_CONFIRM

https://github.com/matrix-org/matrix-rust-sdk/commit/7113...

x_refsource_MISC

https://github.com/matrix-org/matrix-rust-sdk/commit/fa10...

x_refsource_MISC

CVSS V3.1

Score:

5.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2024
Vulnerability Reserved
May 2, 2024

Matrix-org

What is CVE-2024-34353?

Affected Version(s)

References

CVSS V3.1

Timeline