Django REST framework

Lookup for vulnerabilities affecting packages.

Vulnerability_id VCID-dvrk-p9dt-y7h6

Summary

matrix-android-sdk2 vulnerable to impersonation via forwarded Megolm sessions
### Impact
An attacker cooperating with a malicious homeserver can construct messages appearing to have come from another person. Such messages will be marked with a grey shield on some platforms, but this may be missing in others.

This attack is possible due to the matrix-android-sdk2 implementing a too permissive [key forwarding](https://spec.matrix.org/v1.3/client-server-api/#key-requests) strategy on the receiving end.

Key forwarding is a mechanism allowing clients to recover from “unable to decrypt” messages when they missed the initial key distribution, at the time the message was originally sent. Examples include accessing message history before they joined the room but also when some network/federation errors have occurred.

### Patches

The default policy for accepting key forwards has been made more strict in the matrix-android-sdk2. The matrix-android-sdk2 will now only accept forwarded keys in response to previously issued requests and only from own, verified devices.

A unique exception to this rule is with the experimental [MSC3061](https://github.com/matrix-org/matrix-spec-proposals/pull/3061), that is forwarding room keys for past messages when invited in a room configured with the proper history visibility setting. Such key forwards are parked upon receipt and are only accepted if the SDK receives an invitation for that room from the inviter in a limited time window.

The SDK now sets a `trusted` flag on the decrypted message upon decryption, based on whether the key used to decrypt the message was received from a trusted source. Clients need to ensure that messages decrypted with a key with `trusted = false` are decorated appropriately (for example, by showing a warning for such messages).

### Workarounds
Current users of the SDK can disable key forwarding in their forks using `CryptoService#enableKeyGossiping(enable: Boolean)`.

### References
Blog post: https://matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients

### For more information
If you have any questions or comments about this advisory, e-mail us at [security@matrix.org](mailto:security@matrix.org).

Aliases

alias	CVE-2022-39246

alias	GHSA-2pvj-p485-cp3m

Fixed_packages

url	pkg:maven/org.matrix.android/matrix-android-sdk2@1.5.1
purl	pkg:maven/org.matrix.android/matrix-android-sdk2@1.5.1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.matrix.android/matrix-android-sdk2@1.5.1

Affected_packages

url pkg:maven/org.matrix.android/matrix-android-sdk2@0.0.2

purl pkg:maven/org.matrix.android/matrix-android-sdk2@0.0.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-dvrk-p9dt-y7h6

vulnerability	VCID-k87r-mnjz-tkc9

vulnerability	VCID-mwm6-1d7e-mfev

vulnerability	VCID-r2zf-yxr7-gke9

vulnerability	VCID-vx5q-mbn5-8kcf

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.matrix.android/matrix-android-sdk2@0.0.2

url pkg:maven/org.matrix.android/matrix-android-sdk2@1.2.1

purl pkg:maven/org.matrix.android/matrix-android-sdk2@1.2.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-dvrk-p9dt-y7h6

vulnerability	VCID-mwm6-1d7e-mfev

vulnerability	VCID-vx5q-mbn5-8kcf

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.matrix.android/matrix-android-sdk2@1.2.1

url pkg:maven/org.matrix.android/matrix-android-sdk2@1.2.2

purl pkg:maven/org.matrix.android/matrix-android-sdk2@1.2.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-dvrk-p9dt-y7h6

vulnerability	VCID-vx5q-mbn5-8kcf

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.matrix.android/matrix-android-sdk2@1.2.2

url pkg:maven/org.matrix.android/matrix-android-sdk2@1.3.0

purl pkg:maven/org.matrix.android/matrix-android-sdk2@1.3.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-dvrk-p9dt-y7h6

vulnerability	VCID-vx5q-mbn5-8kcf

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.matrix.android/matrix-android-sdk2@1.3.0

url pkg:maven/org.matrix.android/matrix-android-sdk2@1.3.2

purl pkg:maven/org.matrix.android/matrix-android-sdk2@1.3.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-dvrk-p9dt-y7h6

vulnerability	VCID-vx5q-mbn5-8kcf

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.matrix.android/matrix-android-sdk2@1.3.2

url pkg:maven/org.matrix.android/matrix-android-sdk2@1.3.4

purl pkg:maven/org.matrix.android/matrix-android-sdk2@1.3.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-dvrk-p9dt-y7h6

vulnerability	VCID-vx5q-mbn5-8kcf

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.matrix.android/matrix-android-sdk2@1.3.4

url pkg:maven/org.matrix.android/matrix-android-sdk2@1.3.7

purl pkg:maven/org.matrix.android/matrix-android-sdk2@1.3.7

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-dvrk-p9dt-y7h6

vulnerability	VCID-vx5q-mbn5-8kcf

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.matrix.android/matrix-android-sdk2@1.3.7

url pkg:maven/org.matrix.android/matrix-android-sdk2@1.3.8

purl pkg:maven/org.matrix.android/matrix-android-sdk2@1.3.8

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-dvrk-p9dt-y7h6

vulnerability	VCID-vx5q-mbn5-8kcf

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.matrix.android/matrix-android-sdk2@1.3.8

url pkg:maven/org.matrix.android/matrix-android-sdk2@1.3.9

purl pkg:maven/org.matrix.android/matrix-android-sdk2@1.3.9

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-dvrk-p9dt-y7h6

vulnerability	VCID-vx5q-mbn5-8kcf

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.matrix.android/matrix-android-sdk2@1.3.9

url pkg:maven/org.matrix.android/matrix-android-sdk2@1.3.10

purl pkg:maven/org.matrix.android/matrix-android-sdk2@1.3.10

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-dvrk-p9dt-y7h6

vulnerability	VCID-vx5q-mbn5-8kcf

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.matrix.android/matrix-android-sdk2@1.3.10

url pkg:maven/org.matrix.android/matrix-android-sdk2@1.3.13

purl pkg:maven/org.matrix.android/matrix-android-sdk2@1.3.13

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-dvrk-p9dt-y7h6

vulnerability	VCID-vx5q-mbn5-8kcf

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.matrix.android/matrix-android-sdk2@1.3.13

url pkg:maven/org.matrix.android/matrix-android-sdk2@1.3.14

purl pkg:maven/org.matrix.android/matrix-android-sdk2@1.3.14

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-dvrk-p9dt-y7h6

vulnerability	VCID-vx5q-mbn5-8kcf

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.matrix.android/matrix-android-sdk2@1.3.14

url pkg:maven/org.matrix.android/matrix-android-sdk2@1.3.18

purl pkg:maven/org.matrix.android/matrix-android-sdk2@1.3.18

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-dvrk-p9dt-y7h6

vulnerability	VCID-vx5q-mbn5-8kcf

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.matrix.android/matrix-android-sdk2@1.3.18

url pkg:maven/org.matrix.android/matrix-android-sdk2@1.4.2

purl pkg:maven/org.matrix.android/matrix-android-sdk2@1.4.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-dvrk-p9dt-y7h6

vulnerability	VCID-vx5q-mbn5-8kcf

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.matrix.android/matrix-android-sdk2@1.4.2

url pkg:maven/org.matrix.android/matrix-android-sdk2@1.4.4

purl pkg:maven/org.matrix.android/matrix-android-sdk2@1.4.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-dvrk-p9dt-y7h6

vulnerability	VCID-vx5q-mbn5-8kcf

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.matrix.android/matrix-android-sdk2@1.4.4

url pkg:maven/org.matrix.android/matrix-android-sdk2@1.4.11

purl pkg:maven/org.matrix.android/matrix-android-sdk2@1.4.11

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-dvrk-p9dt-y7h6

vulnerability	VCID-vx5q-mbn5-8kcf

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.matrix.android/matrix-android-sdk2@1.4.11

url pkg:maven/org.matrix.android/matrix-android-sdk2@1.4.13

purl pkg:maven/org.matrix.android/matrix-android-sdk2@1.4.13

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-dvrk-p9dt-y7h6

vulnerability	VCID-vx5q-mbn5-8kcf

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.matrix.android/matrix-android-sdk2@1.4.13

url pkg:maven/org.matrix.android/matrix-android-sdk2@1.4.14

purl pkg:maven/org.matrix.android/matrix-android-sdk2@1.4.14

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-dvrk-p9dt-y7h6

vulnerability	VCID-vx5q-mbn5-8kcf

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.matrix.android/matrix-android-sdk2@1.4.14

url pkg:maven/org.matrix.android/matrix-android-sdk2@1.4.16

purl pkg:maven/org.matrix.android/matrix-android-sdk2@1.4.16

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-dvrk-p9dt-y7h6

vulnerability	VCID-vx5q-mbn5-8kcf

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.matrix.android/matrix-android-sdk2@1.4.16

url pkg:maven/org.matrix.android/matrix-android-sdk2@1.4.25

purl pkg:maven/org.matrix.android/matrix-android-sdk2@1.4.25

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-dvrk-p9dt-y7h6

vulnerability	VCID-vx5q-mbn5-8kcf

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.matrix.android/matrix-android-sdk2@1.4.25

url pkg:maven/org.matrix.android/matrix-android-sdk2@1.4.27

purl pkg:maven/org.matrix.android/matrix-android-sdk2@1.4.27

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-dvrk-p9dt-y7h6

vulnerability	VCID-vx5q-mbn5-8kcf

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.matrix.android/matrix-android-sdk2@1.4.27

url pkg:maven/org.matrix.android/matrix-android-sdk2@1.4.32

purl pkg:maven/org.matrix.android/matrix-android-sdk2@1.4.32

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-dvrk-p9dt-y7h6

vulnerability	VCID-vx5q-mbn5-8kcf

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.matrix.android/matrix-android-sdk2@1.4.32

url pkg:maven/org.matrix.android/matrix-android-sdk2@1.4.34

purl pkg:maven/org.matrix.android/matrix-android-sdk2@1.4.34

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-dvrk-p9dt-y7h6

vulnerability	VCID-vx5q-mbn5-8kcf

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.matrix.android/matrix-android-sdk2@1.4.34

url pkg:maven/org.matrix.android/matrix-android-sdk2@1.4.36

purl pkg:maven/org.matrix.android/matrix-android-sdk2@1.4.36

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-dvrk-p9dt-y7h6

vulnerability	VCID-vx5q-mbn5-8kcf

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.matrix.android/matrix-android-sdk2@1.4.36

References

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-39246

reference_id

reference_type

scores

value	0.00321
scoring_system	epss
scoring_elements	0.55135
published_at	2026-04-02T12:55:00Z

value	0.00321
scoring_system	epss
scoring_elements	0.552
published_at	2026-04-18T12:55:00Z

value	0.00321
scoring_system	epss
scoring_elements	0.55197
published_at	2026-04-16T12:55:00Z

value	0.00321
scoring_system	epss
scoring_elements	0.55158
published_at	2026-04-13T12:55:00Z

value	0.00321
scoring_system	epss
scoring_elements	0.55176
published_at	2026-04-12T12:55:00Z

value	0.00321
scoring_system	epss
scoring_elements	0.55195
published_at	2026-04-11T12:55:00Z

value	0.00321
scoring_system	epss
scoring_elements	0.55183
published_at	2026-04-09T12:55:00Z

value	0.00321
scoring_system	epss
scoring_elements	0.55134
published_at	2026-04-07T12:55:00Z

value	0.00321
scoring_system	epss
scoring_elements	0.55159
published_at	2026-04-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-39246

reference_url

https://github.com/matrix-org/matrix-android-sdk2

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/matrix-org/matrix-android-sdk2

reference_url

https://github.com/matrix-org/matrix-android-sdk2/commit/77df720a238d17308deab83ecaa37f7a4740a17e

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:50:49Z/

url

https://github.com/matrix-org/matrix-android-sdk2/commit/77df720a238d17308deab83ecaa37f7a4740a17e

reference_url

https://github.com/matrix-org/matrix-android-sdk2/releases/tag/v1.5.1

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:50:49Z/

url

https://github.com/matrix-org/matrix-android-sdk2/releases/tag/v1.5.1

reference_url

https://github.com/matrix-org/matrix-android-sdk2/security/advisories/GHSA-2pvj-p485-cp3m

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:50:49Z/

url

https://github.com/matrix-org/matrix-android-sdk2/security/advisories/GHSA-2pvj-p485-cp3m

reference_url

https://github.com/matrix-org/matrix-spec-proposals/pull/3061

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:50:49Z/

url

https://github.com/matrix-org/matrix-spec-proposals/pull/3061

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2022-39246

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-39246

reference_url

https://github.com/advisories/GHSA-2pvj-p485-cp3m

reference_id

GHSA-2pvj-p485-cp3m

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-2pvj-p485-cp3m

Weaknesses

cwe_id	287
name	Improper Authentication
description	When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

cwe_id	322
name	Key Exchange without Entity Authentication
description	The product performs a key exchange with an actor without verifying the identity of that actor.

cwe_id	1035
name	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.

cwe_id	937
name	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.

Exploits

Severity_range_score 7.0 - 8.9

Exploitability 0.5

Weighted_severity 8.0

Risk_score 4.0

Resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-dvrk-p9dt-y7h6

Vulnerability Instance