← voltar
CVE-2024-34063

Degraded secret zeroization capabilities in vodozemac

CVSS 2.5 LOWEPSS 0.1%CWE-1188
Vexday Risk Score
8Baixo
Decisão SSVC (CISA)
Track
Sem sinal de exploração → monitorar
CVSS 2.5EPSS 0.1%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
03 mai 2024Publicada no NVD
Recomendação: Monitorar — sem sinal de exploração no momento.
vodozemac is an implementation of Olm and Megolm in pure Rust. Versions 0.5.0 and 0.5.1 of vodozemac have degraded secret zeroization capabilities, due to changes in third-party cryptographic dependencies (the Dalek crates), which moved secret zeroization capabilities behind a feature flag and defaulted this feature to off. The degraded zeroization capabilities could result in the production of more memory copies of encryption secrets and secrets could linger in memory longer than necessary. This marginally increases the risk of sensitive data exposure. This issue has been addressed in version 0.6.0 and users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Produtos afetados
matrix-org · vodozemac

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →
Referências
https://github.com/matrix-org/vodozemac/commit/297548cad4016ce448c4b5007c54db7ee39489d9https://github.com/matrix-org/vodozemac/security/advisories/GHSA-c3hm-hxwf-g5c6