Back

CVE-2024-34063

May 3, 2024, 12:48 p.m.

Awaiting Analysis
CVE has been recently published to the CVE List and has been received by the NVD.

Products

vodozemac

  • 0.5.0
  • 0.5.1

Source

security-advisories@github.com

Tags

security-advisories@github.com
CWE-1188
2024-05-03
CVE-2024-34063

CVE-2024-34063 details

Published : May 3, 2024, 10:15 a.m.
Last Modified : May 3, 2024, 12:48 p.m.

Description

vodozemac is an implementation of Olm and Megolm in pure Rust. Versions 0.5.0 and 0.5.1 of vodozemac have degraded secret zeroization capabilities, due to changes in third-party cryptographic dependencies (the Dalek crates), which moved secret zeroization capabilities behind a feature flag and defaulted this feature to off. The degraded zeroization capabilities could result in the production of more memory copies of encryption secrets and secrets could linger in memory longer than necessary. This marginally increases the risk of sensitive data exposure. This issue has been addressed in version 0.6.0 and users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS Score

1 2.5 3 4 5 6 7 8 9 10

Weakness

Weakness Name Description

CVSS Data

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

Base Score

2.5

Exploitability Score

Impact Score

Base Severity

LOW

Vector String : CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

References

URL Source
https://github.com/matrix-org/vodozemac/commit/297548cad4016ce448c4b5007c54db7ee39489d9 security-advisories@github.com
https://github.com/matrix-org/vodozemac/security/advisories/GHSA-c3hm-hxwf-g5c6 security-advisories@github.com
This website uses the NVD API, but is not approved or certified by it.