References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

Change History

Cryptomator encrypts data being stored on cloud infrastructure. Prior to version 1.19.1, an integrity check vulnerability allows an attacker to tamper with the vault configuration file leading to a man-in-the-middle vulnerability in Hub key loading mechanism. Before this fix, the client trusted endpoints from the vault config without host authenticity checks, which could allow token exfiltration by mixing a legitimate auth endpoint with a malicious API endpoint. Impacted are users unlocking Hub-backed vaults with affected client versions in environments where an attacker can alter the vault.cryptomator file. This issue has been patched in version 1.19.1.

AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

CWE-346

CWE-354

CWE-451

CWE-923

https://github.com/cryptomator/cryptomator/commit/6b82abcd80449a30b561d823193f9ecea542a625

https://github.com/cryptomator/cryptomator/pull/4179

https://github.com/cryptomator/cryptomator/releases/tag/1.19.1

https://github.com/cryptomator/cryptomator/security/advisories/GHSA-34rf-rwr3-7g43