CVE-2024-34353: matrix-sdk-crypto contains a log exposure of private key of the server-side key backup
(updated )
Due to a logic bug introduced in https://github.com/matrix-org/matrix-rust-sdk/pull/2961/commits/71136e44c03c79f80d6d1a2446673bc4d53a2067, the matrix-sdk-crypto crate version 0.7.0 will sometimes log the private part of the backup key pair to Rust debug logs (using the tracing crate).
References
- github.com/advisories/GHSA-9ggc-845v-gcgv
- github.com/matrix-org/matrix-rust-sdk
- github.com/matrix-org/matrix-rust-sdk/commit/71136e44c03c79f80d6d1a2446673bc4d53a2067
- github.com/matrix-org/matrix-rust-sdk/commit/fa10bbb5dd0f9120a51aa1854cec752e25790bb0
- github.com/matrix-org/matrix-rust-sdk/releases/tag/matrix-sdk-crypto-0.7.1
- github.com/matrix-org/matrix-rust-sdk/security/advisories/GHSA-9ggc-845v-gcgv
- nvd.nist.gov/vuln/detail/CVE-2024-34353
Detect and mitigate CVE-2024-34353 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →