CVE-2024-47824: Malicious homeservers can steal message keys when the matrix-react-sdk user invites another user to a room
matrix-react-sdk before 3.102.0 allows a malicious homeserver to potentially steal message keys for a room when a user invites another user to that room, via injection of a malicious device controlled by the homeserver. This is possible because matrix-react-sdk before 3.102.0 shared historical message keys on invite.
References
- github.com/advisories/GHSA-qcvh-p9jq-wp8v
- github.com/matrix-org/matrix-react-sdk
- github.com/matrix-org/matrix-react-sdk/commit/6fc9d7641c51ca3db8225cf58b9d6e6fdd2d6556
- github.com/matrix-org/matrix-react-sdk/pull/12618
- github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-qcvh-p9jq-wp8v
- nvd.nist.gov/vuln/detail/CVE-2024-47824
Code Behaviors & Features
Detect and mitigate CVE-2024-47824 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →