CVE-2024-34353

Name of the Vulnerable Software and Affected Versions matrix-sdk-crypto version 0.7.0 matrix-sdk-crypto versions prior to 0.7.1

Description The issue concerns a logic bug in the matrix-sdk-crypto crate, which is part of the Matrix Rust SDK project. This bug causes the private part of the backup key pair to be logged to Rust debug logs using the tracing crate. The key backup is used for storing encrypted copies of Matrix message keys, facilitating key sharing between devices and providing a redundant copy in case devices are lost. It utilizes asymmetric cryptography with unique public-private key pairs for each server-side key backup.

Recommendations For matrix-sdk-crypto version 0.7.0, update to version 0.7.1 to resolve the issue. As a temporary workaround, consider disabling the logging feature in the tracing crate until the update to version 0.7.1 is applied.