matrix-rust-sdk Cryptographic Identity Change Notification Vulnerability

A vulnerability exists in the matrix-sdk-crypto Rust crate, specifically in versions prior to 0.8.0. This vulnerability arises because these versions do not provide a mechanism to notify when a user's cryptographic identity changes from verified to unverified. As a result, client applications that rely on this SDK may fail to recognize such critical changes.

Impact

The lack of notification for identity verification changes could lead to security risks, as applications might continue to treat an unverified identity as verified, potentially allowing unauthorized actions or access.

Remediation

Users can upgrade to matrix-sdk-crypto version 0.8.0 or later, which introduces the necessary notification mechanism by adding a new VerificationLevel::VerificationViolation enum variant. This variant indicates when a previously verified identity has become unverified.