matrix-android-sdk2 is the Matrix SDK for Android. Prior to version 1.5.1, an attacker cooperating with a malicious homeserver can construct messages that legitimately appear to have come from another person, without any indication such as a grey shield. Additionally, a sophisticated attacker cooperating with a malicious homeserver could employ this vulnerability to perform a targeted attack in order to send fake to-device messages appearing to originate from another user. This can allow, for example, to inject the key backup secret during a self-verification, to make a targeted device start using a malicious key backup spoofed by the homeserver. matrix-android-sdk2 would then additionally sign such a key backup with its device key, spilling trust over to other devices trusting the matrix-android-sdk2 device. These attacks are possible due to a protocol confusion vulnerability that accepts to-device messages encrypted with Megolm instead of Olm. matrix-android-sdk2 version 1.5.1 has been modified to only accept Olm-encrypted to-device messages and to stop signing backups on a successful decryption. Out of caution, several other checks have been audited or added. This attack requires coordination between a malicious home server and an attacker, so those who trust their home servers do not need a workaround.
Published 2022-09-28 20:15:16
Updated 2022-09-30 16:24:10
Source GitHub, Inc.
View at NVD,
Vulnerability category: BypassGain privilege

Exploit prediction scoring system (EPSS) score for CVE-2022-39248

Probability of exploitation activity in the next 30 days EPSS Score History
~ 37 %
Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-39248

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source First Seen
GitHub, Inc.

CWE ids for CVE-2022-39248

  • When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
    Assigned by: (Primary)
  • The product performs a key exchange with an actor without verifying the identity of that actor.
    Assigned by: (Primary)

References for CVE-2022-39248

Products affected by CVE-2022-39248

This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to terms of use!