CVE-2021-40823 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	High
Remote	Yes
Type	Information disclosure
Description	A security has been found in matrix-js-sdk before version 12.4.1, as used by Element Web/Desktop before version 1.8.4. In certain circumstances it may be possible to trick vulnerable clients into disclosing encryption keys for messages previously sent by that client to user accounts later compromised by an attacker. Exploiting this vulnerability to read encrypted messages requires gaining control over the recipient’s account. This requires either compromising their credentials directly or compromising their homeserver. Thus, the greatest risk is to users who are in encrypted rooms containing malicious servers. Admins of malicious servers could attempt to impersonate their users' devices in order to spy on messages sent by vulnerable clients in that room.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-2377	element-desktop, element-web	1.7.34-2	1.8.4-1	High	Fixed

Date	Advisory	Group	Package	Severity	Type
14 Sep 2021	ASA-202109-5	AVG-2377	element-web	High	information disclosure
14 Sep 2021	ASA-202109-4	AVG-2377	element-desktop	High	information disclosure

References
https://matrix.org/blog/2021/09/13/vulnerability-disclosure-key-sharing/ https://github.com/matrix-org/matrix-js-sdk/commit/894c24880da0e1cc81818f51c0db80e3c9fb2be9