CVE-2022-45195
Severity CVSS v4.0:
Pending analysis
Type:
CWE-327
Use of a Broken or Risky Cryptographic Algorithm
Publication date:
12/11/2022
Last modified:
01/05/2025
Description
SimpleXMQ before 3.4.0, as used in SimpleX Chat before 4.2, does not apply a key derivation function to intended data, which can interfere with forward secrecy and can have other impacts if there is a compromise of a single private key. This occurs in the X3DH key exchange for the double ratchet protocol.
Impact
Base Score 3.x
5.30
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:simplex:simplex_chat:*:*:*:*:*:*:*:* | 4.2 (excluding) | |
| cpe:2.3:a:simplex:simplexmq:*:*:*:*:*:*:*:* | 3.4.0 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://github.com/simplex-chat/simplexmq/compare/v3.3.0...v3.4.0
- https://github.com/simplex-chat/simplexmq/pull/548
- https://github.com/trailofbits/publications/blob/master/reviews/SimpleXChat.pdf
- https://simplex.chat/blog/20221108-simplex-chat-v4.2-security-audit-new-website.html
- https://github.com/simplex-chat/simplexmq/compare/v3.3.0...v3.4.0
- https://github.com/simplex-chat/simplexmq/pull/548
- https://github.com/trailofbits/publications/blob/master/reviews/SimpleXChat.pdf
- https://simplex.chat/blog/20221108-simplex-chat-v4.2-security-audit-new-website.html