8.6

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-39254

GHSA ID

GHSA-w4pr-4vjg-hffh

EPSS Score

0.23016%

CWE

CWE-287

Published

9/30/2022

Updated

9/7/2023

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-39254

CVE-2022-39254: When matrix-nio receives forwarded room keys, the receiver doesn't check if it requested the key from the forwarder

When matrix-nio before 0.20 requests a room key from our devices, it correctly accepts key forwards only if they are a response to a previous request. However, it doesn't check that the device that responded matches the device the key was requested from.

This allows a malicious homeserver to insert room keys of questionable validity into the key store in some situations, potentially assisting in an impersonation attack.

For more information

If you have any questions or comments about this advisory, e-mail us at poljar@termina.org.uk.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2022-39254

CVE-2022-39254:

8.6

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-39254

GHSA ID

GHSA-w4pr-4vjg-hffh

EPSS Score

0.23016%

CWE

CWE-287

Published

9/30/2022

Updated

9/7/2023

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
matrix-nio	pip	< 0.20	0.20

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the _handle_forwarded_room_key_event function's lack of sender device validation. The commit diff shows the fix introduced a new _should_accept_forward method that adds three critical checks: 1) device exists in store, 2) device is verified, and 3) device belongs to the current user. The original vulnerable version lacked these checks, allowing any device (even untrusted or malicious) to fulfill key requests as long as they had a matching session ID.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8.6

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2022-39254: When matrix-nio receives forwarded room keys, the receiver doesn't check if it requested the key from the forwarder

For more information

CVE-2022-39254:

8.6

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

CVE-2022-39254: When matrix-nio receives forwarded room keys, the receiver doesn't check if it requested the key from the forwarder

For more information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

8.6

8.6

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI