How severe is CVE-2024-40648?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 5.4 out of 10.

What type of vulnerability is CVE-2024-40648?

This is classified as CWE-287, which is a common weakness in software security.

CVE-2024-40648 - MEDIUM Severity | CVSS 5.4

Vulnerability Description

matrix-rust-sdk is an implementation of a Matrix client-server library in Rust. The `UserIdentity::is_verified()` method in the matrix-sdk-crypto crate before version 0.7.2 doesn't take into account the verification status of the user's own identity while performing the check and may as a result return a value contrary to what is implied by its name and documentation. If the method is used to decide whether to perform sensitive operations towards a user identity, a malicious homeserver could manipulate the outcome in order to make the identity appear trusted. This is not a typical usage of the method, which lowers the impact. The method itself is not used inside the `matrix-sdk-crypto` crate. The 0.7.2 release of the `matrix-sdk-crypto` crate includes a fix. All users are advised to upgrade. There are no known workarounds for this vulnerability.

Related Vulnerabilities

CVE-2017-3795

MEDIUM

CVSS:5.4(Medium)

A vulnerability in Cisco WebEx Meetings Server could allow an authenticated, remote attacker to conduct arbitrary password changes against any non-administrative user. More Information: CSCuz03345. Kn...

CWE-2872017

CVE-2017-6617

MEDIUM

CVSS:5.4(Medium)

A vulnerability in the session identification management functionality of the web-based GUI of Cisco Integrated Management Controller (IMC) 3.0(1c) could allow an unauthenticated, remote attacker to h...

CWE-2872017

CVE-2018-1999045

MEDIUM

CVSS:5.4(Medium)

A improper authentication vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in SecurityRealm.java, TokenBasedRememberMeServices2.java that allows attackers with a valid cookie to ...

CWE-2872018

CVE-2019-15617

MEDIUM

CVSS:5.4(Medium)

A missing check in Nextcloud Server 17.0.0 allowed an attacker to set up a new second factor when trying to login.

CWE-2872019

CVE-2020-12848

MEDIUM

CVSS:5.4(Medium)

In Pydio Cells 2.0.4, once an authenticated user shares a file selecting the create a public link option, a hidden shared user account is created in the backend with a random username. An anonymous us...

CWE-2872020

CVE-2021-20578

MEDIUM

CVSS:5.4(Medium)

IBM Cloud Pak for Security (CP4S) 1.7.0.0, 1.7.1.0, 1.7.2.0, and 1.8.0.0 could allow an attacker to perform unauthorized actions due to improper or missing authentication controls. IBM X-Force ID: 199...

CWE-2872021