GHSA-4qg4-cvh2-crgg
GitHub Security Advisory
matrix-sdk-crypto's `UserIdentity::is_verified` not checking verification status of own user identity while performing the check
Advisory Details
The `UserIdentity::is_verified()` method in the matrix-sdk-crypto crate before version 0.7.2 doesn't take into account the verification status of the user's own identity while performing the check and may as a result return a value contrary to what is implied by its name and documentation.
### Impact
If the method is used to decide whether to perform sensitive operations towards a user identity, a malicious homeserver could manipulate the outcome in order to make the identity appear trusted. This is not a typical usage of the method, which lowers the impact. The method itself is not used inside the `matrix-sdk-crypto` crate.
### Patches
The 0.7.2 release of the `matrix-sdk-crypto` crate includes a fix.
### Workarounds
None.
Affected Packages
Related CVEs
Key Information
Dataset
Data from GitHub Advisory Database. This information is provided for research and educational purposes.