CVE-2024-40640: vodozemac's usage of non-constant time base64 decoder could lead to leakage of secret key material
(updated )
Versions before 0.7.0 of vodozemac use a non-constant time base64 implementation for importing key material for Megolm group sessions and PkDecryption Ed25519 secret keys. This flaw might allow an attacker to infer some information about the secret key material through a side-channel attack.
References
- arxiv.org/abs/2108.04600
- github.com/advisories/GHSA-j8cm-g7r6-hfpq
- github.com/matrix-org/vodozemac
- github.com/matrix-org/vodozemac/commit/734b6c6948d4b2bdee3dd8b4efa591d93a61d272
- github.com/matrix-org/vodozemac/commit/77765dace11266ef9523301624a01265c6e0f790
- github.com/matrix-org/vodozemac/security/advisories/GHSA-j8cm-g7r6-hfpq
- nvd.nist.gov/vuln/detail/CVE-2024-40640
- rustsec.org/advisories/RUSTSEC-2024-0354.html
Code Behaviors & Features
Detect and mitigate CVE-2024-40640 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →