CVE-2021-40823
Published on: 09/13/2021 12:00:00 AM UTC
Last Modified on: 09/24/2021 05:27:00 PM UTC
Certain versions of Javascript Sdk from Matrix contain the following vulnerability:
A logic error in the room key sharing functionality of matrix-js-sdk (aka Matrix Javascript SDK) before 12.4.1 allows a malicious Matrix homeserver present in an encrypted room to steal room encryption keys (via crafted Matrix protocol messages) that were originally sent by affected Matrix clients participating in that room. This allows the homeserver to decrypt end-to-end encrypted messages sent by affected clients.
- CVE-2021-40823 has been assigned by
[email protected] to track the vulnerability - currently rated as MEDIUM severity.
CVSS3 Score: 5.9 - MEDIUM
Attack Vector ⓘ |
Attack Complexity |
Privileges Required |
User Interaction |
---|---|---|---|
NETWORK | HIGH | NONE | NONE |
Scope | Confidentiality Impact |
Integrity Impact |
Availability Impact |
UNCHANGED | HIGH | NONE | NONE |
CVSS2 Score: 4.3 - MEDIUM
Access Vector ⓘ |
Access Complexity |
Authentication |
---|---|---|
NETWORK | MEDIUM | NONE |
Confidentiality Impact |
Integrity Impact |
Availability Impact |
PARTIAL | NONE | NONE |
CVE References
Description | Tags ⓘ | Link |
---|---|---|
Disclosing CVE-2021-40823 and CVE-2021-40824: E2EE vulnerability in multiple Matrix clients | Matrix.org | matrix.org text/html |
![]() |
Release v12.4.1 · matrix-org/matrix-js-sdk · GitHub | github.com text/html |
![]() |
Related QID Numbers
Known Affected Configurations (CPE V2.3)
Type | Vendor | Product | Version | Update | Edition | Language |
---|---|---|---|---|---|---|
Application | Matrix | Javascript Sdk | All | All | All | All |
- cpe:2.3:a:matrix:javascript_sdk:*:*:*:*:*:*:*:*:
No vendor comments have been submitted for this CVE
Social Mentions
Source | Title | Posted (UTC) |
---|---|---|
![]() |
Disclosing CVE-2021-40823 and CVE-2021-40824: E2EE vulnerability in multiple Matrix clients matrix.org/blog/2021/09/1…… twitter.com/i/web/status/1… | 2021-09-13 15:46:19 |
![]() |
"Disclosing CVE-2021-40823 and CVE-2021-40824: E2EE vulnerability in multiple Matrix clients" matrix.org/blog/2021/09/1… #Matrix | 2021-09-13 16:08:05 |
![]() |
Disclosing CVE-2021-40823 and CVE-2021-40824: E2EE vulnerability in multiple Matrix clients matrix.org/blog/2021/09/1… https://t.co/OdOS9yxtnM | 2021-09-13 17:28:03 |
![]() |
CVE-2021-40823 : A logic error in the room key sharing functionality of matrix-js-sdk aka Matrix Javascript SDK b… twitter.com/i/web/status/1… | 2021-09-13 19:07:44 |
![]() |
Disclosing CVE-2021-40823 and CVE-2021-40824: E2EE vulnerability in multiple Matrix clients… twitter.com/i/web/status/1… | 2021-09-13 20:42:37 |