Soatok

#18201of 53,625
14.9Total CVSS
Vulnerabilities · 3
Medium
3
PT-2024-31474
5.3
2024-08-22
Matrix · Matrix Libolm · CVE-2024-45191
**Name of the Vulnerable Software and Affected Versions** Matrix libolm versions through 3.2.16 **Description** An issue was discovered in the AES implementation of Matrix libolm, which is vulnerable to cache-timing attacks due to the use of S-boxes. This vulnerability is related to software that uses a lookup table for the SubWord step and affects products that are no longer supported by the maintainer. **Recommendations** For Matrix libolm versions through 3.2.16, consider switching to `vodozemac` as soon as possible, as it is the successor effort to `libolm` and is written in Rust. Users of `olm-sys` and its higher-level abstraction, `olm-rs`, are highly encouraged to make this switch. At the moment, there is no information about a newer version of Matrix libolm that contains a fix for this vulnerability.
PT-2024-31475
5.3
2024-08-22
Unknown · Matrix Libolm · CVE-2024-45192
**Name of the Vulnerable Software and Affected Versions** Matrix libolm versions through 3.2.16 **Description** An issue was discovered in Matrix libolm, where cache-timing attacks can occur due to the use of base64 when decoding group session keys. This vulnerability only affects products that are no longer supported by the maintainer. **Recommendations** For Matrix libolm versions through 3.2.16, consider switching to `vodozemac` as soon as possible, as it is the successor effort to `libolm` and is written in Rust. At the moment, there is no information about a newer version that contains a fix for this vulnerability.
PT-2024-31476
4.3
2024-08-22
Matrix · Libolm · CVE-2024-45193
**Name of the Vulnerable Software and Affected Versions** Matrix libolm versions 3.2.16 and earlier **Description** There is Ed25519 signature malleability due to lack of validation criteria in the libolm implementation of Olm, which does not ensure that S < n. This issue only affects products that are no longer supported by the maintainer. **Recommendations** For Matrix libolm versions 3.2.16 and earlier, consider switching to the successor effort `vodozemac` as soon as possible, as `libolm` has been officially deprecated by the Matrix Foundation. As a temporary workaround, consider restricting the use of the Ed25519 signature functionality until a more secure alternative is implemented.