[manjaro-security] [ASA-202109-5] element-web: information disclosure
Jonas Witschel via arch-security
arch-security at lists.archlinux.org
Wed Sep 15 10:48:40 CEST 2021
Arch Linux Security Advisory ASA-202109-5
Date : 2021-09-14
CVE-ID : CVE-2021-40823
Package : element-web
Type : information disclosure
Remote : Yes
Link : https://security.archlinux.org/AVG-2377
The package element-web before version 1.8.4-1 is vulnerable to
Upgrade to 1.8.4-1.
# pacman -Syu "element-web>=1.8.4-1"
The problem has been fixed upstream in version 1.8.4.
A security has been found in matrix-js-sdk before version 12.4.1, as
used by Element Web/Desktop before version 1.8.4. In certain
circumstances it may be possible to trick vulnerable clients into
disclosing encryption keys for messages previously sent by that client
to user accounts later compromised by an attacker.
Exploiting this vulnerability to read encrypted messages requires
gaining control over the recipient’s account. This requires either
compromising their credentials directly or compromising their
Thus, the greatest risk is to users who are in encrypted rooms
containing malicious servers. Admins of malicious servers could attempt
to impersonate their users' devices in order to spy on messages sent by
vulnerable clients in that room.
A remote attacker able to compromise a user account could disclose
encryption keys for messages previously sent by the Matrix client.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: not available
More information about the manjaro-security