Login Sign Up

CVE-2024-52813

4.3 MEDIUM

📋 TL;DR

This vulnerability in matrix-rust-sdk's crypto crate fails to notify applications when a user's verified cryptographic identity changes to unverified. This could allow malicious actors to impersonate previously trusted users without detection. Applications using matrix-sdk-crypto versions before 0.8.0 are affected.

💻 Affected Systems

Products:
  • matrix-rust-sdk
  • matrix-sdk-crypto
Versions: matrix-sdk-crypto versions before 0.8.0
Operating Systems: all
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects applications that rely on the matrix-sdk-crypto crate for Matrix client-server communication.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could impersonate verified users in encrypted communications, potentially leading to data leakage or social engineering attacks.

🟠

Likely Case

Users might unknowingly communicate with impersonated accounts, compromising the integrity of encrypted conversations.

🟢

If Mitigated

With proper monitoring and updated clients, identity changes would be detected and users could be warned.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires ability to manipulate cryptographic identities and target specific users.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: matrix-sdk-crypto 0.8.0

Vendor Advisory: https://github.com/matrix-org/matrix-rust-sdk/security/advisories/GHSA-r5vf-wf4h-82gg

Restart Required: Yes

Instructions:

1. Update matrix-sdk-crypto dependency to version 0.8.0 or higher in Cargo.toml. 2. Run 'cargo update'. 3. Rebuild and redeploy the application.

🔧 Temporary Workarounds

Manual identity verification monitoring

all

Implement application-level checks to monitor identity verification status changes

🧯 If You Can't Patch

  • Implement additional application-layer verification checks for all encrypted communications
  • Educate users to manually verify identities before sensitive conversations

🔍 How to Verify

Check if Vulnerable:

Check Cargo.toml or Cargo.lock for matrix-sdk-crypto version <0.8.0

Check Version:

grep -E 'matrix-sdk-crypto.*\d+\.\d+\.\d+' Cargo.lock

Verify Fix Applied:

Confirm matrix-sdk-crypto version is 0.8.0 or higher in Cargo.lock

📡 Detection & Monitoring

Log Indicators:

  • Unexpected identity verification status changes
  • Multiple verification requests from same user

Network Indicators:

  • Unusual patterns in Matrix identity key exchanges

SIEM Query:

Search for logs containing 'verification violation' or 'identity changed' in Matrix client applications

📊 Metadata

CVE ID: CVE-2024-52813
CVSS v3 Score: 4.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-223
EPSS Score: 0.13% exploit probability (32.5th percentile)
Published: January 7, 2025
Last Updated: January 7, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-52813, you might also want to check these:

CVE-2023-31191 9.3

This vulnerability allows attackers to inject spoofed drone identification messages that force the D...

Same vulnerability type (CWE-223)