CVE-2024-40648

Name of the Vulnerable Software and Affected Versions matrix-sdk-crypto versions prior to 0.7.2

Description The UserIdentity::is verified() method in the matrix-sdk-crypto crate does not take into account the verification status of the user's own identity while performing the check, potentially returning a value contrary to what is implied by its name and documentation. If this method is used to decide whether to perform sensitive operations towards a user identity, a malicious homeserver could manipulate the outcome to make the identity appear trusted. However, this is not a typical usage of the method, which lowers the impact. The method itself is not used inside the matrix-sdk-crypto crate.

Recommendations For versions prior to 0.7.2, upgrade to version 0.7.2 or later to resolve the issue. As a temporary workaround, consider avoiding the use of the UserIdentity::is verified() method to decide whether to perform sensitive operations towards a user identity until the issue is resolved.