Lowpoljar

**Name of the Vulnerable Software and Affected Versions** matrix-rust-sdk versions prior to 0.6 **Description** The issue arises when a user requests a room key from their devices. The software correctly remembers the request but fails to check the origin of the forwarded room key, allowing homeservers to potentially insert room keys of questionable validity. This could facilitate an impersonation attack. It's noted that even if key injection succeeds, all forwarded keys have the `imported` flag set, indicating lesser authentication properties. **Recommendations** For versions prior to 0.6, update to version 0.6 to resolve the issue. As a temporary workaround, consider restricting the acceptance of forwarded room keys to only those that are responses to previous requests and come from the expected device.

**Name of the Vulnerable Software and Affected Versions** matrix-nio versions prior to 0.20 **Description** The issue arises when a user requests a room key from their devices. The software remembers the request but fails to check the origin of the forwarded room key, allowing homeservers to potentially insert room keys of questionable validity and mount an impersonation attack. **Recommendations** For versions prior to 0.20, update to version 0.20 to resolve the issue. As a temporary workaround, consider restricting the acceptance of forwarded room keys to only those that are responses to previous requests and match the device the key was requested from.