{"id":"CVE-2024-34353","summary":"matrix-sdk-crypto contains a log exposure of private key of the server-side key backup","details":"The matrix-sdk-crypto crate, part of the Matrix Rust SDK project, is an implementation of a Matrix end-to-end encryption state machine in Rust. In Matrix, the server-side `key backup` stores encrypted copies of Matrix message keys. This facilitates key sharing between a user's devices and provides a redundant copy in case all devices are lost. The key backup uses asymmetric\ncryptography, with each server-side key backup assigned a unique public-private key pair. Due to a logic bug introduced in commit 71136e44c03c79f80d6d1a2446673bc4d53a2067, matrix-sdk-crypto version 0.7.0 will sometimes log the private part of the backup key pair to Rust debug logs (using the `tracing` crate). This issue has been resolved in matrix-sdk-crypto version 0.7.1. No known workarounds are available.","aliases":["GHSA-9ggc-845v-gcgv"],"modified":"2026-03-03T02:54:07.723805Z","published":"2024-05-13T15:43:10.574Z","database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/34xxx/CVE-2024-34353.json","cwe_ids":["CWE-532"]},"references":[{"type":"WEB","url":"https://crates.io/crates/matrix-sdk-crypto/0.7.1"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/34xxx/CVE-2024-34353.json"},{"type":"FIX","url":"https://github.com/matrix-org/matrix-rust-sdk/commit/71136e44c03c79f80d6d1a2446673bc4d53a2067"},{"type":"FIX","url":"https://github.com/matrix-org/matrix-rust-sdk/commit/fa10bbb5dd0f9120a51aa1854cec752e25790bb0"},{"type":"WEB","url":"https://github.com/matrix-org/matrix-rust-sdk/releases/tag/matrix-sdk-crypto-0.7.1"},{"type":"ADVISORY","url":"https://github.com/matrix-org/matrix-rust-sdk/security/advisories/GHSA-9ggc-845v-gcgv"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-34353"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/matrix-org/matrix-rust-sdk","events":[{"introduced":"0"},{"fixed":"71136e44c03c79f80d6d1a2446673bc4d53a2067"},{"introduced":"0"},{"fixed":"c99f6657668977d46d8eb2368c6918fd30c36515"},{"introduced":"0"},{"fixed":"fa10bbb5dd0f9120a51aa1854cec752e25790bb0"}]}],"versions":["0.1.0","0.2.0","0.3.0","0.7.0","0.7.1","0f","matrix-qrcode-0.2.0","matrix-sdk-0.4.0","matrix-sdk-0.4.1","matrix-sdk-0.5.0","matrix-sdk-0.6.0","matrix-sdk-base-0.4.0","matrix-sdk-base-0.4.1","matrix-sdk-base-0.5.0","matrix-sdk-base-0.5.1","matrix-sdk-base-0.6.0","matrix-sdk-common-0.4.0","matrix-sdk-common-0.4.1","matrix-sdk-common-0.5.0","matrix-sdk-common-0.6.0","matrix-sdk-crypto-0.4.0","matrix-sdk-crypto-0.4.1","matrix-sdk-crypto-0.5.0","matrix-sdk-crypto-0.6.0","matrix-sdk-crypto-ffi-0.1.0","matrix-sdk-crypto-ffi-0.1.1","matrix-sdk-crypto-ffi-0.1.10","matrix-sdk-crypto-ffi-0.1.2","matrix-sdk-crypto-ffi-0.1.3","matrix-sdk-crypto-ffi-0.1.4","matrix-sdk-crypto-ffi-0.1.5","matrix-sdk-crypto-ffi-0.1.6","matrix-sdk-crypto-ffi-0.1.7","matrix-sdk-crypto-ffi-0.1.8","matrix-sdk-crypto-ffi-0.1.9","matrix-sdk-crypto-ffi-0.2.0","matrix-sdk-crypto-ffi-0.2.1","matrix-sdk-crypto-ffi-0.3.0","matrix-sdk-crypto-ffi-0.3.1","matrix-sdk-crypto-ffi-0.3.10","matrix-sdk-crypto-ffi-0.3.11","matrix-sdk-crypto-ffi-0.3.12","matrix-sdk-crypto-ffi-0.3.13","matrix-sdk-crypto-ffi-0.3.2","matrix-sdk-crypto-ffi-0.3.4","matrix-sdk-crypto-ffi-0.3.5","matrix-sdk-crypto-ffi-0.3.6","matrix-sdk-crypto-ffi-0.3.7","matrix-sdk-crypto-ffi-0.3.8","matrix-sdk-crypto-ffi-0.3.9","matrix-sdk-crypto-js-0.1.0","matrix-sdk-crypto-js-0.1.0-alpha.10","matrix-sdk-crypto-js-0.1.0-alpha.6","matrix-sdk-crypto-js-0.1.0-alpha.8","matrix-sdk-crypto-js-0.1.0-alpha.9","matrix-sdk-crypto-js-0.1.2","matrix-sdk-crypto-js-0.1.3","matrix-sdk-crypto-js-0.1.4","matrix-sdk-crypto-js-v0.1.0-alpha.0","matrix-sdk-crypto-js-v0.1.0-alpha.1","matrix-sdk-crypto-js-v0.1.0-alpha.2","matrix-sdk-crypto-js-v0.1.0-alpha.3","matrix-sdk-crypto-js-v0.1.0-alpha.4","matrix-sdk-crypto-js-v0.1.0-alpha.5","matrix-sdk-crypto-js-v0.1.0-alpha.6","matrix-sdk-crypto-nodejs-v0.1.0-beta.0","matrix-sdk-indexeddb-0.1.0","matrix-sdk-indexeddb-0.2.0","matrix-sdk-qrcode-0.3.0","matrix-sdk-qrcode-0.4.0","matrix-sdk-sled-0.1.0","matrix-sdk-sled-0.2.0","matrix-sdk-store-encryption-0.1.0","matrix-sdk-store-encryption-0.2.0","matrix-sdk-test-0.4.0","matrix-sdk-test-0.5.0","matrix-sdk-test-0.6.0","matrix-sdk-test-macros-0.2.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-34353.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}]}