CVE-2022-39252

Name of the Vulnerable Software and Affected Versions matrix-rust-sdk versions prior to 0.6

Description The issue arises when a user requests a room key from their devices. The software correctly remembers the request but fails to check the origin of the forwarded room key, allowing homeservers to potentially insert room keys of questionable validity. This could facilitate an impersonation attack. It's noted that even if key injection succeeds, all forwarded keys have the imported flag set, indicating lesser authentication properties.

Recommendations For versions prior to 0.6, update to version 0.6 to resolve the issue. As a temporary workaround, consider restricting the acceptance of forwarded room keys to only those that are responses to previous requests and come from the expected device.