Vulnerability Details : CVE-2022-39246
matrix-android-sdk2 is the Matrix SDK for Android. Prior to version 1.5.1, an attacker cooperating with a malicious homeserver can construct messages appearing to have come from another person. Such messages will be marked with a grey shield on some platforms, but this may be missing in others. This attack is possible due to the key forwarding strategy implemented in the matrix-android-sdk2 that is too permissive. Starting with version 1.5.1, the default policy for accepting key forwards has been made more strict in the matrix-android-sdk2. The matrix-android-sdk2 will now only accept forwarded keys in response to previously issued requests and only from own, verified devices. The SDK now sets a `trusted` flag on the decrypted message upon decryption, based on whether the key used to decrypt the message was received from a trusted source. Clients need to ensure that messages decrypted with a key with `trusted = false` are decorated appropriately (for example, by showing a warning for such messages). As a workaroubnd, current users of the SDK can disable key forwarding in their forks using `CryptoService#enableKeyGossiping(enable: Boolean)`.
Vulnerability category: BypassGain privilege
Products affected by CVE-2022-39246
- cpe:2.3:a:matrix:software_development_kit:*:*:*:*:*:android:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-39246
0.10%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 42 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-39246
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
3.9
|
1.4
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
3.9
|
3.6
|
GitHub, Inc. |
CWE ids for CVE-2022-39246
-
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.Assigned by: security-advisories@github.com (Primary)
-
The product performs a key exchange with an actor without verifying the identity of that actor.Assigned by: security-advisories@github.com (Primary)
References for CVE-2022-39246
-
https://github.com/matrix-org/matrix-android-sdk2/releases/tag/v1.5.1
Release v1.5.1 · matrix-org/matrix-android-sdk2 · GitHubRelease Notes;Third Party Advisory
-
https://github.com/matrix-org/matrix-android-sdk2/security/advisories/GHSA-2pvj-p485-cp3m
Impersonation via forwarded Megolm sessions · Advisory · matrix-org/matrix-android-sdk2 · GitHubMitigation;Patch;Third Party Advisory
-
https://github.com/matrix-org/matrix-android-sdk2/commit/77df720a238d17308deab83ecaa37f7a4740a17e
Merge branch 'release/1.5.1' into develop · matrix-org/matrix-android-sdk2@77df720 · GitHubPatch;Third Party Advisory
-
https://github.com/matrix-org/matrix-spec-proposals/pull/3061
MSC3061: Sharing room keys for past messages by uhoreg · Pull Request #3061 · matrix-org/matrix-spec-proposals · GitHubPatch;Third Party Advisory
Jump to