Back

CVE-2024-40640

July 17, 2024, 6:15 p.m.

Received
CVE has been recently published to the CVE List and has been received by the NVD.

Products

vodozemac

  • before 0.7.0

Source

security-advisories@github.com

Tags

security-advisories@github.com
CWE-208
2024-07-17
CVE-2024-40640

CVE-2024-40640 details

Published : July 17, 2024, 6:15 p.m.
Last Modified : July 17, 2024, 6:15 p.m.

Description

vodozemac is an open source implementation of Olm and Megolm in pure Rust. Versions before 0.7.0 of vodozemac use a non-constant time base64 implementation for importing key material for Megolm group sessions and `PkDecryption` Ed25519 secret keys. This flaw might allow an attacker to infer some information about the secret key material through a side-channel attack. The use of a non-constant time base64 implementation might allow an attacker to observe timing variations in the encoding and decoding operations of the secret key material. This could potentially provide insights into the underlying secret key material. The impact of this vulnerability is considered low because exploiting the attacker is required to have access to high precision timing measurements, as well as repeated access to the base64 encoding or decoding processes. Additionally, the estimated leakage amount is bounded and low according to the referenced paper. This has been patched in commit 734b6c6948d4b2bdee3dd8b4efa591d93a61d272 which has been included in release version 0.7.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS Score

1 2.9 3 4 5 6 7 8 9 10

Weakness

Weakness Name Description
CWE-208 Observable Timing Discrepancy Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.

CVSS Data

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

Base Score

2.9

Exploitability Score

1.4

Impact Score

1.4

Base Severity

LOW

Vector String : CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

References

URL Source
https://arxiv.org/abs/2108.04600 security-advisories@github.com
https://github.com/matrix-org/vodozemac/commit/734b6c6948d4b2bdee3dd8b4efa591d93a61d272 security-advisories@github.com
https://github.com/matrix-org/vodozemac/security/advisories/GHSA-j8cm-g7r6-hfpq security-advisories@github.com
This website uses the NVD API, but is not approved or certified by it.