CVE-2024-34063

May 3, 2024, 12:48 p.m.

2.5
Low

Description

vodozemac is an implementation of Olm and Megolm in pure Rust. Versions 0.5.0 and 0.5.1 of vodozemac have degraded secret zeroization capabilities, due to changes in third-party cryptographic dependencies (the Dalek crates), which moved secret zeroization capabilities behind a feature flag and defaulted this feature to off. The degraded zeroization capabilities could result in the production of more memory copies of encryption secrets and secrets could linger in memory longer than necessary. This marginally increases the risk of sensitive data exposure. This issue has been addressed in version 0.6.0 and users are advised to upgrade. There are no known workarounds for this vulnerability.

Product(s) Impacted

Product Versions
vodozemac
  • 0.5.0
  • 0.5.1

Weaknesses

Common security weaknesses mapped to this vulnerability.

References

https://github.com/matrix-org/vodozemac/commit/297548cad4016ce448c4b5007c54db7ee39489d9
https://github.com/matrix-org/vodozemac/security/advisories/GHSA-c3hm-hxwf-g5c6

Tags

security-advisories@github.com
CWE-1188
2024-05-03
CVE-2024-34063

CVSS Score

2.5 / 10

CVSS Data - 3.1

  • Attack Vector: LOCAL
  • Attack Complexity: HIGH
  • Privileges Required: LOW
  • Scope: UNCHANGED
  • Confidentiality Impact: LOW
  • Integrity Impact: NONE
  • Availability Impact: NONE

    • CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

    View Vector String

Timeline

Published: May 3, 2024, 10:15 a.m.
Last Modified: May 3, 2024, 12:48 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.