CVE-2022-39246

Name of the Vulnerable Software and Affected Versions matrix-android-sdk2 versions prior to 1.5.1

Description An attacker cooperating with a malicious homeserver can construct messages appearing to have come from another person. Such messages will be marked with a grey shield on some platforms, but this may be missing in others. This attack is possible due to the key forwarding strategy implemented in the matrix-android-sdk2 that is too permissive. The SDK now sets a trusted flag on the decrypted message upon decryption, based on whether the key used to decrypt the message was received from a trusted source. Clients need to ensure that messages decrypted with a key with trusted = false are decorated appropriately.

Recommendations For versions prior to 1.5.1, update to version 1.5.1 or later to resolve the issue. As a temporary workaround, current users of the SDK can disable key forwarding in their forks using CryptoService#enableKeyGossiping(enable: Boolean).