Skip to content

Verified groups not reliable

High
raphaelrobert published GHSA-mc65-7w99-c6qv Jun 3, 2021

Package

No package listed

Affected versions

<= 3.80

Patched versions

3.81

Description

Impact

The status of a conversation would incorrectly be set to "unverified" when:

  • Self user is added to a new conversation
  • Self user is added to an existing conversation
  • All the participants in the conversation were previously marked as verified.

Patches

The code path for adding participants to group is only considering that security level could get decreased which is only true when other users are being added. We should also consider increasing the security level if the self user is among the participants being added.

Fix: bf9db85

Workarounds

Unverify & verify a device in the conversation.

Credits

Reported by Justin Scholz.

Severity

High

CVE ID

CVE-2021-32665

Weaknesses

No CWEs