Vulnerability Details : CVE-2022-39264
nheko is a desktop client for the Matrix communication application. All versions below 0.10.2 are vulnerable homeservers inserting malicious secrets, which could lead to man-in-the-middle attacks. Users can upgrade to version 0.10.2 to protect against this issue. As a workaround, one may apply the patch manually, avoid doing verifications of one's own devices, and/or avoid pressing the request button in the settings menu.
Vulnerability category: BypassGain privilege
Products affected by CVE-2022-39264
- cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
- cpe:2.3:a:nheko-reborn:nheko:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-39264
0.12%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 45 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-39264
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.9
|
MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N |
2.2
|
3.6
|
NIST | |
8.6
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N |
3.9
|
4.0
|
GitHub, Inc. |
CWE ids for CVE-2022-39264
-
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.Assigned by: security-advisories@github.com (Primary)
-
The product does not validate, or incorrectly validates, a certificate.Assigned by: security-advisories@github.com (Primary)
References for CVE-2022-39264
-
https://github.com/Nheko-Reborn/nheko/releases/tag/v0.10.2
Release v0.10.2 · Nheko-Reborn/nheko · GitHubRelease Notes
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YBOL6OOQGPZD2RLYT4EHAWTFXNIHLYEN/
[SECURITY] Fedora 37 Update: nheko-0.10.2-1.fc37 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://github.com/Nheko-Reborn/nheko/commit/67bee15a389f9b8a9f6c3a340558d1e2319e7199
Prevent the homeserver from inserting malicious secrets · Nheko-Reborn/nheko@67bee15 · GitHubPatch
-
https://github.com/Nheko-Reborn/nheko/security/advisories/GHSA-8jcp-8jq4-5mm7
Secret poisoning using MITM on secret requests by the homeserver · Advisory · Nheko-Reborn/nheko · GitHubPatch;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TA6A5ADUVAYKD3ZFLF2JPZOTIOFJOEU7/
[SECURITY] Fedora 36 Update: nheko-0.10.2-1.fc36 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
Jump to