CVE-2022-39264 - OpenCVE

nheko is a desktop client for the Matrix communication application. All versions below 0.10.2 are vulnerable homeservers inserting malicious secrets, which could lead to man-in-the-middle attacks. Users can upgrade to version 0.10.2 to protect against this issue. As a workaround, one may apply the patch manually, avoid doing verifications of one's own devices, and/or avoid pressing the request button in the settings menu.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Fedoraproject	Fedora
Nheko-reborn	Nheko

Configuration 1 [-]

cpe:2.3:a:nheko-reborn:nheko:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:o:fedoraproject:fedora:36:::::::*
	cpe:2.3:o:fedoraproject:fedora:37:::::::*

No data.

References

Link	Providers
https://github.com/Nheko-Reborn/nheko/commit/67bee15a389f9b8a9f6c3a340558d1e2319e7199
https://github.com/Nheko-Reborn/nheko/releases/tag/v0.10.2
https://github.com/Nheko-Reborn/nheko/security/advisories/GHSA-8jcp-8jq4-5mm7
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TA6A5ADUVAYKD3ZFLF2JPZOTIOFJOEU7/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YBOL6OOQGPZD2RLYT4EHAWTFXNIHLYEN/

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-09-28T00:00:00

Updated: 2024-08-03T12:00:43.593Z

Reserved: 2022-09-02T00:00:00

Link: CVE-2022-39264

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-09-28T22:15:14.633

Modified: 2023-11-07T03:50:23.657

Link: CVE-2022-39264

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-39264", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "dateUpdated": "2024-08-03T12:00:43.593Z", "dateReserved": "2022-09-02T00:00:00", "datePublished": "2022-09-28T00:00:00"}, "containers": {"cna": {"title": "nheko vulnerable to secret poisoning using MITM on secret requests by the homeserver", "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-10-07T00:00:00"}, "descriptions": [{"lang": "en", "value": "nheko is a desktop client for the Matrix communication application. All versions below 0.10.2 are vulnerable homeservers inserting malicious secrets, which could lead to man-in-the-middle attacks. Users can upgrade to version 0.10.2 to protect against this issue. As a workaround, one may apply the patch manually, avoid doing verifications of one's own devices, and/or avoid pressing the request button in the settings menu."}], "affected": [{"vendor": "Nheko-Reborn", "product": "nheko", "versions": [{"version": "< 0.10.2", "status": "affected"}]}], "references": [{"url": "https://github.com/Nheko-Reborn/nheko/security/advisories/GHSA-8jcp-8jq4-5mm7"}, {"url": "https://github.com/Nheko-Reborn/nheko/commit/67bee15a389f9b8a9f6c3a340558d1e2319e7199"}, {"url": "https://github.com/Nheko-Reborn/nheko/releases/tag/v0.10.2"}, {"name": "FEDORA-2022-959b529587", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YBOL6OOQGPZD2RLYT4EHAWTFXNIHLYEN/"}, {"name": "FEDORA-2022-1fd94a54a1", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TA6A5ADUVAYKD3ZFLF2JPZOTIOFJOEU7/"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-295: Improper Certificate Validation", "cweId": "CWE-295"}]}, {"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-287: Improper Authentication", "cweId": "CWE-287"}]}], "source": {"advisory": "GHSA-8jcp-8jq4-5mm7", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T12:00:43.593Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/Nheko-Reborn/nheko/security/advisories/GHSA-8jcp-8jq4-5mm7", "tags": ["x_transferred"]}, {"url": "https://github.com/Nheko-Reborn/nheko/commit/67bee15a389f9b8a9f6c3a340558d1e2319e7199", "tags": ["x_transferred"]}, {"url": "https://github.com/Nheko-Reborn/nheko/releases/tag/v0.10.2", "tags": ["x_transferred"]}, {"name": "FEDORA-2022-959b529587", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YBOL6OOQGPZD2RLYT4EHAWTFXNIHLYEN/"}, {"name": "FEDORA-2022-1fd94a54a1", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TA6A5ADUVAYKD3ZFLF2JPZOTIOFJOEU7/"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nheko-reborn:nheko:*:*:*:*:*:*:*:*", "matchCriteriaId": "065A6B94-C716-4629-9F8A-C50C012160C6", "versionEndExcluding": "0.10.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*", "matchCriteriaId": "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*", "matchCriteriaId": "E30D0E6F-4AE8-4284-8716-991DFA48CC5D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "nheko is a desktop client for the Matrix communication application. All versions below 0.10.2 are vulnerable homeservers inserting malicious secrets, which could lead to man-in-the-middle attacks. Users can upgrade to version 0.10.2 to protect against this issue. As a workaround, one may apply the patch manually, avoid doing verifications of one's own devices, and/or avoid pressing the request button in the settings menu."}, {"lang": "es", "value": "nheko es un cliente de escritorio para la aplicaci\u00f3n de comunicaci\u00f3n Matrix. Todas las versiones anteriores a 0.10.2 son vulnerables a una inserci\u00f3n de secretos maliciosos por parte de los servidores dom\u00e9sticos, lo que podr\u00eda conllevar a ataques de tipo man-in-the-middle. Los usuarios pueden actualizar a versi\u00f3n 0.10.2 para protegerse de este problema. Como mitigaci\u00f3n, puede aplicarse el parche manualmente, evitar hacer verificaciones de los propios dispositivos y/o evitar pulsar el bot\u00f3n de petici\u00f3n en el men\u00fa de configuraci\u00f3n"}], "id": "CVE-2022-39264", "lastModified": "2023-11-07T03:50:23.657", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-09-28T22:15:14.633", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/Nheko-Reborn/nheko/commit/67bee15a389f9b8a9f6c3a340558d1e2319e7199"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/Nheko-Reborn/nheko/releases/tag/v0.10.2"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/Nheko-Reborn/nheko/security/advisories/GHSA-8jcp-8jq4-5mm7"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TA6A5ADUVAYKD3ZFLF2JPZOTIOFJOEU7/"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YBOL6OOQGPZD2RLYT4EHAWTFXNIHLYEN/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}, {"lang": "en", "value": "CWE-295"}], "source": "security-advisories@github.com", "type": "Primary"}]}