CVE-2021-44538

Published: Dec 14, 2021Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

The olm_session_describe function in Matrix libolm before 3.2.7 is vulnerable to a buffer overflow. The Olm session object represents a cryptographic channel between two parties. Therefore, its state is partially controllable by the remote party of the channel. Attackers can construct a crafted sequence of messages to manipulate the state of the receiver's session in such a way that, for some buffer sizes, a buffer overflow happens on a call to olm_session_describe. Furthermore, safe buffer sizes were undocumented. The overflow content is partially controllable by the attacker and limited to ASCII spaces and digits. The known affected products are Element Web And SchildiChat Web.

Affected (10)

Products: Matrix: Element, Javascript Sdk, Olm · Schildi: Schildichat · Cinny Project: Cinny · +1 more

Show all products

Matrix: Element, Javascript Sdk, Olm · Schildi: Schildichat · Cinny Project: Cinny · Debian: Debian Linux

3 products

1 product

1 product

1 product

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Matrix Element	Before 1.9.7
Matrix Element	Before 1.9.7
Matrix Javascript Sdk	From 2.4.2 to 15.2.1
Matrix Olm	From 3.1.4 to 3.2.8

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Schildi Schildichat	Before 1.9.7-sc1
Schildi Schildichat	Before 1.9.7-sc1

Configuration C

1 vulnerable

Vulnerable Software	Affected Versions
Cinny Project Cinny	Before 1.6.0

Configuration D

3 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 10.0
Debian Debian Linux	Version 11.0
Debian Debian Linux	Version 9.0

Related CWEs

Improper Restriction of Operations within the Bounds of a Memory Buffer

The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.

References (8)

https://gitlab.matrix.org/matrix-org/olm/-/tags

Source: cve@mitre.org

ProductThird Party Advisory

https://lists.debian.org/debian-lts-announce/2022/01/msg00001.html

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://matrix.org/blog/2021/12/13/disclosure-buffer-overflow-in-libolm-and-matrix-js-sdk

Source: cve@mitre.org

PatchVendor Advisory

https://www.debian.org/security/2022/dsa-5034

Source: cve@mitre.org

Third Party Advisory

https://gitlab.matrix.org/matrix-org/olm/-/tags

Source: af854a3a-2127-422b-91ae-364da2661108

ProductThird Party Advisory

https://lists.debian.org/debian-lts-announce/2022/01/msg00001.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://matrix.org/blog/2021/12/13/disclosure-buffer-overflow-in-libolm-and-matrix-js-sdk

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

https://www.debian.org/security/2022/dsa-5034

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.