Skip to content

Missing decoration for events decrypted with untrusted Megolm sessions

Moderate
dkasak published GHSA-fm8m-99j7-323g Nov 11, 2022

Package

swift im.vector.app (Swift)

Affected versions

< 1.9.7

Patched versions

1.9.7

Description

Impact

Events encrypted with Megolm sessions for which trust could not be established did not get decorated accordingly (with warning shields).

Therefore a malicious homeserver could inject messages into the room without the user being alerted that the messages were not sent by a verified group member, even if the user has previously verified all group members.

Patches

Patched in Element iOS 1.9.7.

Workarounds

None.

References

For more information

If you have any questions or comments about this advisory, email us at security@matrix.org.

Severity

Moderate

CVE ID

CVE-2022-41904

Weaknesses

No CWEs