Subject: [ASA-202109-5] element-web: information disclosure Arch Linux Security Advisory ASA-202109-5 ========================================= Severity: High Date : 2021-09-14 CVE-ID : CVE-2021-40823 Package : element-web Type : information disclosure Remote : Yes Link : https://security.archlinux.org/AVG-2377 Summary ======= The package element-web before version 1.8.4-1 is vulnerable to information disclosure. Resolution ========== Upgrade to 1.8.4-1. # pacman -Syu "element-web>=1.8.4-1" The problem has been fixed upstream in version 1.8.4. Workaround ========== None. Description =========== A security has been found in matrix-js-sdk before version 12.4.1, as used by Element Web/Desktop before version 1.8.4. In certain circumstances it may be possible to trick vulnerable clients into disclosing encryption keys for messages previously sent by that client to user accounts later compromised by an attacker. Exploiting this vulnerability to read encrypted messages requires gaining control over the recipient’s account. This requires either compromising their credentials directly or compromising their homeserver. Thus, the greatest risk is to users who are in encrypted rooms containing malicious servers. Admins of malicious servers could attempt to impersonate their users' devices in order to spy on messages sent by vulnerable clients in that room. Impact ====== A remote attacker able to compromise a user account could disclose encryption keys for messages previously sent by the Matrix client. References ========== https://matrix.org/blog/2021/09/13/vulnerability-disclosure-key-sharing/ https://github.com/matrix-org/matrix-js-sdk/commit/894c24880da0e1cc81818f51c0db80e3c9fb2be9 https://security.archlinux.org/CVE-2021-40823