Add CVE-2024-40648 for matrix-sdk-crypto (#2018)

2025-12-27 01:54:07 -05:00 · 2024-07-19 12:10:26 +02:00
parent 72a75c7d51
commit 2edb42e988
1 changed files with 30 additions and 0 deletions
--- a/crates/matrix-sdk-crypto/RUSTSEC-0000-0000.md
+++ b/crates/matrix-sdk-crypto/RUSTSEC-0000-0000.md
@@ -0,0 +1,30 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "matrix-sdk-crypto"
+date = "2024-07-18"
+url = "https://github.com/matrix-org/matrix-rust-sdk/security/advisories/GHSA-4qg4-cvh2-crgg"
+categories = ["crypto-failure"]
+aliases = ["CVE-2024-40648", "GHSA-4qg4-cvh2-crgg"]
+
+[affected]
+functions = { "matrix_sdk_crypto::UserIdentity::is_verified" = ["< 0.7.2"] }
+
+[versions]
+patched = [">= 0.7.2"]
+
+```
+# `UserIdentity::is_verified` not checking verification status of own user identity while performing the check 
+
+The `UserIdentity::is_verified()` method in the matrix-sdk-crypto crate before
+version 0.7.2 doesn't take into account the verification status of the user's
+own identity while performing the check and may as a result return a value
+contrary to what is implied by its name and documentation.
+
+## Impact
+
+If the method is used to decide whether to perform sensitive operations towards
+a user identity, a malicious homeserver could manipulate the outcome in order to
+make the identity appear trusted. This is not a typical usage of the method,
+which lowers the impact. The method itself is not used inside the
+matrix-sdk-crypto crate.