CVE-2021-40823
Summary
| CVE | CVE-2021-40823 |
|---|
| State | PUBLIC |
|---|
| Assigner | [email protected] |
|---|
| Source Priority | CVE Program / NVD first with legacy fallback |
|---|
| Published | 2021-09-13 19:15:00 UTC |
|---|
| Updated | 2023-08-08 14:22:00 UTC |
|---|
| Description | A logic error in the room key sharing functionality of matrix-js-sdk (aka Matrix Javascript SDK) before 12.4.1 allows a malicious Matrix homeserver present in an encrypted room to steal room encryption keys (via crafted Matrix protocol messages) that were originally sent by affected Matrix clients participating in that room. This allows the homeserver to decrypt end-to-end encrypted messages sent by affected clients. |
|---|
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|
| Disclosing CVE-2021-40823 and CVE-2021-40824: E2EE vulnerability in multiple Matrix clients | Matrix.org |
MISC |
matrix.org |
|
| Release v12.4.1 · matrix-org/matrix-js-sdk · GitHub |
MISC |
github.com |
|
| CVE Program record |
CVE.ORG |
www.cve.org |
canonical |
| NVD vulnerability detail |
NVD |
nvd.nist.gov |
canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 501918 Alpine Linux Security Update for riot-web
- 503178 Alpine Linux Security Update for element-web
- 506038 Alpine Linux Security Update for element-web
- 690038 Free Berkeley Software Distribution (FreeBSD) Security Update for matrix clients (93eb0e48-14ba-11ec-875e-901b0e9408dc)
- 980380 Nodejs (npm) Security Update for matrix-js-sdk (GHSA-23cm-x6j7-6hq3)
