{"id":"CVE-2024-34353","summary":"matrix-sdk-crypto contains a log exposure of private key of the server-side key backup","details":"The matrix-sdk-crypto crate, part of the Matrix Rust SDK project, is an implementation of a Matrix end-to-end encryption state machine in Rust. In Matrix, the server-side `key backup` stores encrypted copies of Matrix message keys. This facilitates key sharing between a user's devices and provides a redundant copy in case all devices are lost. The key backup uses asymmetric\ncryptography, with each server-side key backup assigned a unique public-private key pair. Due to a logic bug introduced in commit 71136e44c03c79f80d6d1a2446673bc4d53a2067, matrix-sdk-crypto version 0.7.0 will sometimes log the private part of the backup key pair to Rust debug logs (using the `tracing` crate). This issue has been resolved in matrix-sdk-crypto version 0.7.1. No known workarounds are available.","aliases":["GHSA-9ggc-845v-gcgv"],"modified":"2026-04-10T05:12:53.055749Z","published":"2024-05-13T15:43:10.574Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/34xxx/CVE-2024-34353.json","cwe_ids":["CWE-532"],"cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://crates.io/crates/matrix-sdk-crypto/0.7.1"},{"type":"WEB","url":"https://github.com/matrix-org/matrix-rust-sdk/releases/tag/matrix-sdk-crypto-0.7.1"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/34xxx/CVE-2024-34353.json"},{"type":"ADVISORY","url":"https://github.com/matrix-org/matrix-rust-sdk/security/advisories/GHSA-9ggc-845v-gcgv"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-34353"},{"type":"FIX","url":"https://github.com/matrix-org/matrix-rust-sdk/commit/71136e44c03c79f80d6d1a2446673bc4d53a2067"},{"type":"FIX","url":"https://github.com/matrix-org/matrix-rust-sdk/commit/fa10bbb5dd0f9120a51aa1854cec752e25790bb0"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/matrix-org/matrix-rust-sdk","events":[{"introduced":"0"},{"fixed":"71136e44c03c79f80d6d1a2446673bc4d53a2067"}]},{"type":"GIT","repo":"https://github.com/matrix-org/matrix-rust-sdk","events":[{"introduced":"0"},{"fixed":"fa10bbb5dd0f9120a51aa1854cec752e25790bb0"}]},{"type":"GIT","repo":"https://github.com/matrix-org/matrix-rust-sdk","events":[{"introduced":"0"},{"fixed":"c99f6657668977d46d8eb2368c6918fd30c36515"}]},{"type":"GIT","repo":"https://github.com/matrix-org/matrix-rust-sdk","events":[{"introduced":"0"},{"fixed":"71136e44c03c79f80d6d1a2446673bc4d53a2067"}]},{"type":"GIT","repo":"https://github.com/matrix-org/matrix-rust-sdk","events":[{"introduced":"0"},{"fixed":"fa10bbb5dd0f9120a51aa1854cec752e25790bb0"}]},{"type":"GIT","repo":"https://github.com/matrix-org/matrix-rust-sdk","events":[{"introduced":"0"},{"fixed":"c99f6657668977d46d8eb2368c6918fd30c36515"}]}],"versions":["0.1.0","0.7.0","0.7.1","matrix-qrcode-0.2.0","matrix-sdk-0.4.0","matrix-sdk-0.4.1","matrix-sdk-base-0.4.0","matrix-sdk-base-0.4.1","matrix-sdk-common-0.4.0","matrix-sdk-common-0.4.1","matrix-sdk-crypto-0.4.0","matrix-sdk-crypto-0.4.1","matrix-sdk-crypto-ffi-0.1.0","matrix-sdk-crypto-ffi-0.1.1","matrix-sdk-crypto-ffi-0.1.10","matrix-sdk-crypto-ffi-0.1.2","matrix-sdk-crypto-ffi-0.1.3","matrix-sdk-crypto-ffi-0.1.4","matrix-sdk-crypto-ffi-0.1.5","matrix-sdk-crypto-ffi-0.1.6","matrix-sdk-crypto-ffi-0.1.7","matrix-sdk-crypto-ffi-0.1.8","matrix-sdk-crypto-ffi-0.1.9","matrix-sdk-crypto-ffi-0.2.0","matrix-sdk-crypto-ffi-0.2.1","matrix-sdk-crypto-ffi-0.3.0","matrix-sdk-crypto-ffi-0.3.1","matrix-sdk-crypto-ffi-0.3.10","matrix-sdk-crypto-ffi-0.3.11","matrix-sdk-crypto-ffi-0.3.12","matrix-sdk-crypto-ffi-0.3.13","matrix-sdk-crypto-ffi-0.3.2","matrix-sdk-crypto-ffi-0.3.4","matrix-sdk-crypto-ffi-0.3.5","matrix-sdk-crypto-ffi-0.3.7","matrix-sdk-crypto-ffi-0.3.8","matrix-sdk-crypto-ffi-0.3.9","matrix-sdk-crypto-js-v0.1.0-alpha.0","matrix-sdk-crypto-js-v0.1.0-alpha.1","matrix-sdk-crypto-js-v0.1.0-alpha.2","matrix-sdk-crypto-js-v0.1.0-alpha.4","matrix-sdk-test-0.4.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-34353.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}]}