Main Vulnerability Database Vulnerabilities #VU56488

Information disclosure in Matrix Javascript SDK - CVE-2021-40823

Published: September 14, 2021 / Updated: December 16, 2024

Vulnerability identifier: #VU56488

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2021-40823

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Matrix Javascript SDK

Software vendor:
Matrix.org

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to logic error in the room key sharing functionality in matrix-js-sdk. In certain circumstances it is possible to trick vulnerable clients into disclosing encryption keys for messages previously sent by that client to user accounts later compromised by an attacker.

Remediation

Install updates from vendor's website.

External links

https://github.com/matrix-org/matrix-js-sdk/releases/tag/v12.4.1
https://matrix.org/blog/2021/09/13/vulnerability-disclosure-key-sharing
https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-23cm-x6j7-6hq3

Information disclosure in Matrix Javascript SDK - CVE-2021-40823

Description

Remediation

External links

Please verify you're human