CVE-2021-34813 - Matrix libolm before 3.2.3 allows a malicious Matrix homeserver to crash a client (while it is attem

CVE-2021-34813

Summary

Matrix libolm before 3.2.3 allows a malicious Matrix homeserver to crash a client (while it is attempting to retrieve an Olm encrypted room key backup from the homeserver) because olm_pk_decrypt has a stack-based buffer overflow. Remote code execution might be possible for some nonstandard build configurations.

References

https://gitlab.matrix.org/matrix-org/olm/-/releases/3.2.3
https://matrix.org/blog/2021/06/14/adventures-in-fuzzing-libolm
https://gitlab.matrix.org/matrix-org/olm/-/commit/ccc0d122ee1b4d5e5ca4ec1432086be17d5f901b

Vulnerable Configurations

cpe:2.3:a:matrix:olm:*:*:*:*:*:*:*:*
cpe:2.3:a:matrix:olm:*:*:*:*:*:*:*:*

CVSS

Base:	7.5 (as of 23-06-2021 - 14:29)
Impact:
Exploitability:

CWE

CWE-787

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:L/Au:N/C:P/I:P/A:P

Last major update

23-06-2021 - 14:29

Published

16-06-2021 - 18:15

Last modified

23-06-2021 - 14:29