CVE-2022-39264 — Improper Authentication in Nheko

CWE-287 — Improper Authentication CWE-295 — Improper Certificate Validation3 documents3 sources

Severity

5.9MEDIUMNVD

EPSS

0.4%

top 40.48%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nheko-reborn Nheko Debian Nheko Fedoraproject Fedora

Timeline

PublishedSep 28

Description

nheko is a desktop client for the Matrix communication application. All versions below 0.10.2 are vulnerable homeservers inserting malicious secrets, which could lead to man-in-the-middle attacks. Users can upgrade to version 0.10.2 to protect against this issue. As a workaround, one may apply the patch manually, avoid doing verifications of one's own devices, and/or avoid pressing the request button in the settings menu.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages3 packages

▶debiandebian/nheko< nheko 0.10.2-1 (bookworm)

▶NVDnheko-reborn/nheko< 0.10.2

▶Debiannheko-reborn/nheko< 0.10.2-1+2

Also affects: Fedora 36, 37

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2022-39264: nheko is a desktop client for the Matrix communication application↗2022-09-28

▶

📋Vendor Advisories

Debian

CVE-2022-39264: nheko - nheko is a desktop client for the Matrix communication application. All versions...↗2022

▶