CVE-2022-39254

NameCVE-2022-39254
Descriptionmatrix-nio is a Python Matrix client library, designed according to sans I/O principles. Prior to version 0.20, when a users requests a room key from their devices, the software correctly remember the request. Once they receive a forwarded room key, they accept it without checking who the room key came from. This allows homeservers to try to insert room keys of questionable validity, potentially mounting an impersonation attack. Version 0.20 fixes the issue.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-matrix-nio (PTS)bullseye0.16.0-1vulnerable
bookworm, sid0.20.1-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-matrix-niosource(unstable)0.20.0-1

Notes

[bullseye] - python-matrix-nio <ignored> (Doesn't work with current Matrix servers, to be removed from stable)
https://github.com/poljar/matrix-nio/security/advisories/GHSA-w4pr-4vjg-hffh
https://github.com/poljar/matrix-nio/commit/b1cbf234a831daa160673defd596e6450e9c29f0 (0.20.0)

Search for package or bug name: Reporting problems