Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2024-40640

LOW
Published 2024-07-17T17:27:15.586Z
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2024-40640. We'll provide specific mitigation strategies based on your environment and risk profile.

CVSS Score

V3.1
2.9
/10
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Base Score Metrics
Exploitability: N/A Impact: N/A

EPSS Score

v2025.03.14
0.000
probability
of exploitation in the wild

There is a 0.0% chance that this vulnerability will be exploited in the wild within the next 30 days.

Updated: 2025-06-25
Exploit Probability
Percentile: 0.088
Higher than 8.8% of all CVEs

Attack Vector Metrics

Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED

Impact Metrics

Confidentiality
LOW
Integrity
NONE
Availability
NONE

Description

vodozemac is an open source implementation of Olm and Megolm in pure Rust. Versions before 0.7.0 of vodozemac use a non-constant time base64 implementation for importing key material for Megolm group sessions and `PkDecryption` Ed25519 secret keys. This flaw might allow an attacker to infer some information about the secret key material through a side-channel attack. The use of a non-constant time base64 implementation might allow an attacker to observe timing variations in the encoding and decoding operations of the secret key material. This could potentially provide insights into the underlying secret key material. The impact of this vulnerability is considered low because exploiting the attacker is required to have access to high precision timing measurements, as well as repeated access to the base64 encoding or decoding processes. Additionally, the estimated leakage amount is bounded and low according to the referenced paper. This has been patched in commit 734b6c6948d4b2bdee3dd8b4efa591d93a61d272 which has been included in release version 0.7.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

matrix-org

vodozemac

Affected Versions:

< 0.7.0

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed MODERATE

vodozemac's usage of non-constant time base64 decoder could lead to leakage of secret key material

GHSA-j8cm-g7r6-hfpq

Advisory Details

Versions before 0.7.0 of vodozemac use a non-constant time base64 implementation for importing key material for Megolm group sessions and `PkDecryption` Ed25519 secret keys. This flaw might allow an attacker to infer some information about the secret key material through a side-channel attack. ### Impact The use of a non-constant time base64 implementation might allow an attacker to observe timing variations in the encoding and decoding operations of the secret key material. This could potentially provide insights into the underlying secret key material. The impact of this vulnerability is considered low because exploiting the attacker is required to have access to high precision timing measurements, as well as repeated access to the base64 encoding or decoding processes. Additionally, the estimated leakage amount is bounded and low according to the referenced paper. ### Patches The patch is in commit 734b6c6948d4b2bdee3dd8b4efa591d93a61d272. ### Workarounds None. ### References A detailed description of the precise attack can be found at https://arxiv.org/abs/2108.04600. We kindly thank Soatok for pointing out this research to us. ### For more information If you have any questions or comments about this advisory please email us at [security at matrix.org](mailto:[email protected]).

Affected Packages

crates.io vodozemac
ECOSYSTEM: ≥0 <0.7.0

CVSS Scoring

CVSS Score

5.0

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

References

WEB https://github.com/matrix-org/vodozemac/security/advisories/GHSA-j8cm-g7r6-hfpq
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-40640
WEB https://github.com/matrix-org/vodozemac/commit/734b6c6948d4b2bdee3dd8b4efa591d93a61d272
WEB https://github.com/matrix-org/vodozemac/commit/77765dace11266ef9523301624a01265c6e0f790
WEB https://arxiv.org/abs/2108.04600
PACKAGE https://github.com/matrix-org/vodozemac
WEB https://rustsec.org/advisories/RUSTSEC-2024-0354.html

Advisory provided by GitHub Security Advisory Database. Published: July 17, 2024, Modified: November 18, 2024

References

https://github.com/matrix-org/vodozemac/security/advisories/GHSA-j8cm-g7r6-hfpq
https://github.com/matrix-org/vodozemac/commit/734b6c6948d4b2bdee3dd8b4efa591d93a61d272
https://arxiv.org/abs/2108.04600
Published: 2024-07-17T17:27:15.586Z
Last Modified: 2024-08-02T04:33:11.880Z
Copied to clipboard!