Closed davidegirardi closed 3 weeks ago
eslerm
commented
1 month ago These CVSS changes look okay to me, except Privileges Required should remain None. (i.e., joining a public channel to attempt these attacks means that the privilege is None, not Low.)
davidegirardi
commented
1 month ago I had this very discussion with a colleague while preparing the PR. My argument is that you, as the attacker, need some kind of relationship with the victim implementation to make it encrypt content you choose at will.
In the context of Matrix, public rooms are not encrypted so creating that relation would require to start a 1:1 message or join a shared private room.
That's why I think Privileges Requires is Low.
eslerm
commented
1 month ago Thanks for the explanation, that sounds reasonable.
amanion-cisa
commented
1 month ago Hi, thanks for the improvements, we'll review and make any changes upstream in the vulnrichment workflow.
jwoytek-cisa
commented
3 weeks ago @davidegirardi these entries were reevaluated and scores updated. The data was modified upstream, making it impractical to merge this PR. Thank you for the report!
๐ฃ Description
This PR fixes CVSS scoring for CVE-2024-45191, CVE-2024-45192 and CVE-2024-45193 which did not reflect the vulnerabilities. It also updates the SSVC section.
The changes consider libolm itself as a generic double-ratchet library, not just in the context of its use in the Matrix protocol. That would otherwise further reduce the severity.
๐งช Testing
I checked that the format is correct by running:
โ Pre-approval checklist
โ Pre-merge checklist
โ Post-merge checklist