{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-34353", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-05-02T06:36:32.438Z", "datePublished": "2024-05-13T15:43:10.574Z", "dateUpdated": "2024-08-02T02:51:10.872Z"}, "containers": {"cna": {"title": "matrix-sdk-crypto contains a log exposure of private key of the server-side key backup", "problemTypes": [{"descriptions": [{"cweId": "CWE-532", "lang": "en", "description": "CWE-532: Insertion of Sensitive Information into Log File", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/matrix-org/matrix-rust-sdk/security/advisories/GHSA-9ggc-845v-gcgv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/matrix-org/matrix-rust-sdk/security/advisories/GHSA-9ggc-845v-gcgv"}, {"name": "https://github.com/matrix-org/matrix-rust-sdk/commit/71136e44c03c79f80d6d1a2446673bc4d53a2067", "tags": ["x_refsource_MISC"], "url": "https://github.com/matrix-org/matrix-rust-sdk/commit/71136e44c03c79f80d6d1a2446673bc4d53a2067"}, {"name": "https://github.com/matrix-org/matrix-rust-sdk/commit/fa10bbb5dd0f9120a51aa1854cec752e25790bb0", "tags": ["x_refsource_MISC"], "url": "https://github.com/matrix-org/matrix-rust-sdk/commit/fa10bbb5dd0f9120a51aa1854cec752e25790bb0"}, {"name": "https://crates.io/crates/matrix-sdk-crypto/0.7.1", "tags": ["x_refsource_MISC"], "url": "https://crates.io/crates/matrix-sdk-crypto/0.7.1"}, {"name": "https://github.com/matrix-org/matrix-rust-sdk/releases/tag/matrix-sdk-crypto-0.7.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/matrix-org/matrix-rust-sdk/releases/tag/matrix-sdk-crypto-0.7.1"}], "affected": [{"vendor": "matrix-org", "product": "matrix-sdk-crypto", "versions": [{"version": "= 0.7.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-05-14T20:13:41.721Z"}, "descriptions": [{"lang": "en", "value": "The matrix-sdk-crypto crate, part of the Matrix Rust SDK project, is an implementation of a Matrix end-to-end encryption state machine in Rust. In Matrix, the server-side `key backup` stores encrypted copies of Matrix message keys. This facilitates key sharing between a user's devices and provides a redundant copy in case all devices are lost. The key backup uses asymmetric\ncryptography, with each server-side key backup assigned a unique public-private key pair. Due to a logic bug introduced in commit 71136e44c03c79f80d6d1a2446673bc4d53a2067, matrix-sdk-crypto version 0.7.0 will sometimes log the private part of the backup key pair to Rust debug logs (using the `tracing` crate). This issue has been resolved in matrix-sdk-crypto version 0.7.1. No known workarounds are available."}], "source": {"advisory": "GHSA-9ggc-845v-gcgv", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-05T16:09:35.013317Z", "id": "CVE-2024-34353", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-05T16:09:42.514Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:51:10.872Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/matrix-org/matrix-rust-sdk/security/advisories/GHSA-9ggc-845v-gcgv", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/matrix-org/matrix-rust-sdk/security/advisories/GHSA-9ggc-845v-gcgv"}, {"name": "https://github.com/matrix-org/matrix-rust-sdk/commit/71136e44c03c79f80d6d1a2446673bc4d53a2067", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/matrix-org/matrix-rust-sdk/commit/71136e44c03c79f80d6d1a2446673bc4d53a2067"}, {"name": "https://github.com/matrix-org/matrix-rust-sdk/commit/fa10bbb5dd0f9120a51aa1854cec752e25790bb0", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/matrix-org/matrix-rust-sdk/commit/fa10bbb5dd0f9120a51aa1854cec752e25790bb0"}, {"name": "https://crates.io/crates/matrix-sdk-crypto/0.7.1", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://crates.io/crates/matrix-sdk-crypto/0.7.1"}, {"name": "https://github.com/matrix-org/matrix-rust-sdk/releases/tag/matrix-sdk-crypto-0.7.1", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/matrix-org/matrix-rust-sdk/releases/tag/matrix-sdk-crypto-0.7.1"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/matrix-org/matrix-rust-sdk/security/advisories/GHSA-9ggc-845v-gcgv", "name": "https://github.com/matrix-org/matrix-rust-sdk/security/advisories/GHSA-9ggc-845v-gcgv", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/matrix-org/matrix-rust-sdk/commit/71136e44c03c79f80d6d1a2446673bc4d53a2067", "name": "https://github.com/matrix-org/matrix-rust-sdk/commit/71136e44c03c79f80d6d1a2446673bc4d53a2067", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/matrix-org/matrix-rust-sdk/commit/fa10bbb5dd0f9120a51aa1854cec752e25790bb0", "name": "https://github.com/matrix-org/matrix-rust-sdk/commit/fa10bbb5dd0f9120a51aa1854cec752e25790bb0", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://crates.io/crates/matrix-sdk-crypto/0.7.1", "name": "https://crates.io/crates/matrix-sdk-crypto/0.7.1", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/matrix-org/matrix-rust-sdk/releases/tag/matrix-sdk-crypto-0.7.1", "name": "https://github.com/matrix-org/matrix-rust-sdk/releases/tag/matrix-sdk-crypto-0.7.1", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:51:10.872Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-34353", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-06-05T16:09:35.013317Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-05T16:09:40.278Z"}}], "cna": {"title": "matrix-sdk-crypto contains a log exposure of private key of the server-side key backup", "source": {"advisory": "GHSA-9ggc-845v-gcgv", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "matrix-org", "product": "matrix-sdk-crypto", "versions": [{"status": "affected", "version": "= 0.7.0"}]}], "references": [{"url": "https://github.com/matrix-org/matrix-rust-sdk/security/advisories/GHSA-9ggc-845v-gcgv", "name": "https://github.com/matrix-org/matrix-rust-sdk/security/advisories/GHSA-9ggc-845v-gcgv", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/matrix-org/matrix-rust-sdk/commit/71136e44c03c79f80d6d1a2446673bc4d53a2067", "name": "https://github.com/matrix-org/matrix-rust-sdk/commit/71136e44c03c79f80d6d1a2446673bc4d53a2067", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/matrix-org/matrix-rust-sdk/commit/fa10bbb5dd0f9120a51aa1854cec752e25790bb0", "name": "https://github.com/matrix-org/matrix-rust-sdk/commit/fa10bbb5dd0f9120a51aa1854cec752e25790bb0", "tags": ["x_refsource_MISC"]}, {"url": "https://crates.io/crates/matrix-sdk-crypto/0.7.1", "name": "https://crates.io/crates/matrix-sdk-crypto/0.7.1", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/matrix-org/matrix-rust-sdk/releases/tag/matrix-sdk-crypto-0.7.1", "name": "https://github.com/matrix-org/matrix-rust-sdk/releases/tag/matrix-sdk-crypto-0.7.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "The matrix-sdk-crypto crate, part of the Matrix Rust SDK project, is an implementation of a Matrix end-to-end encryption state machine in Rust. In Matrix, the server-side `key backup` stores encrypted copies of Matrix message keys. This facilitates key sharing between a user's devices and provides a redundant copy in case all devices are lost. The key backup uses asymmetric\ncryptography, with each server-side key backup assigned a unique public-private key pair. Due to a logic bug introduced in commit 71136e44c03c79f80d6d1a2446673bc4d53a2067, matrix-sdk-crypto version 0.7.0 will sometimes log the private part of the backup key pair to Rust debug logs (using the `tracing` crate). This issue has been resolved in matrix-sdk-crypto version 0.7.1. No known workarounds are available."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-532", "description": "CWE-532: Insertion of Sensitive Information into Log File"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-05-14T20:13:41.721Z"}}}, "cveMetadata": {"cveId": "CVE-2024-34353", "state": "PUBLISHED", "dateUpdated": "2024-08-02T02:51:10.872Z", "dateReserved": "2024-05-02T06:36:32.438Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-05-13T15:43:10.574Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The matrix-sdk-crypto crate, part of the Matrix Rust SDK project, is an implementation of a Matrix end-to-end encryption state machine in Rust. In Matrix, the server-side `key backup` stores encrypted copies of Matrix message keys. This facilitates key sharing between a user's devices and provides a redundant copy in case all devices are lost. The key backup uses asymmetric\ncryptography, with each server-side key backup assigned a unique public-private key pair. Due to a logic bug introduced in commit 71136e44c03c79f80d6d1a2446673bc4d53a2067, matrix-sdk-crypto version 0.7.0 will sometimes log the private part of the backup key pair to Rust debug logs (using the `tracing` crate). This issue has been resolved in matrix-sdk-crypto version 0.7.1. No known workarounds are available."}, {"lang": "es", "value": "La caja Matrix-sdk-crypto, parte del proyecto Matrix Rust SDK, es una implementaci\u00f3n de una m\u00e1quina de estado de cifrado de extremo a extremo de Matrix en Rust. En Matrix, la \"copia de seguridad de claves\" del lado del servidor almacena copias cifradas de las claves de mensajes de Matrix. Esto facilita el intercambio de claves entre los dispositivos de un usuario y proporciona una copia redundante en caso de que se pierdan todos los dispositivos. La copia de seguridad de claves utiliza criptograf\u00eda asim\u00e9trica, y a cada copia de seguridad de claves del lado del servidor se le asigna un par de claves p\u00fablica-privada \u00fanico. Debido a un error l\u00f3gico introducido en el commit 71136e44c03c79f80d6d1a2446673bc4d53a2067, la versi\u00f3n 0.7.0 de Matrix-sdk-crypto a veces registrar\u00e1 la parte privada del par de claves de respaldo en los registros de depuraci\u00f3n de Rust (usando la caja de \"rastreo\"). Este problema se resolvi\u00f3 en la versi\u00f3n 0.7.1 de Matrix-sdk-crypto. No hay workarounds conocidos disponibles."}], "id": "CVE-2024-34353", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-05-14T15:38:43.910", "references": [{"source": "security-advisories@github.com", "url": "https://crates.io/crates/matrix-sdk-crypto/0.7.1"}, {"source": "security-advisories@github.com", "url": "https://github.com/matrix-org/matrix-rust-sdk/commit/71136e44c03c79f80d6d1a2446673bc4d53a2067"}, {"source": "security-advisories@github.com", "url": "https://github.com/matrix-org/matrix-rust-sdk/commit/fa10bbb5dd0f9120a51aa1854cec752e25790bb0"}, {"source": "security-advisories@github.com", "url": "https://github.com/matrix-org/matrix-rust-sdk/releases/tag/matrix-sdk-crypto-0.7.1"}, {"source": "security-advisories@github.com", "url": "https://github.com/matrix-org/matrix-rust-sdk/security/advisories/GHSA-9ggc-845v-gcgv"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://crates.io/crates/matrix-sdk-crypto/0.7.1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/matrix-org/matrix-rust-sdk/commit/71136e44c03c79f80d6d1a2446673bc4d53a2067"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/matrix-org/matrix-rust-sdk/commit/fa10bbb5dd0f9120a51aa1854cec752e25790bb0"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/matrix-org/matrix-rust-sdk/releases/tag/matrix-sdk-crypto-0.7.1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/matrix-org/matrix-rust-sdk/security/advisories/GHSA-9ggc-845v-gcgv"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-532"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{}