GHSA-fc4h-xcf3-qj5f: 
Rust vulnerability analysis and mitigation

The vulnerability (GHSA-fc4h-xcf3-qj5f) affects matrix-sdk versions 0.6.0 to 0.6.2 and was discovered in October 2022. The issue involves the unintended logging of user access tokens when using matrix-sdk with tracing-subscriber in applications. This moderate severity vulnerability was officially published to the GitHub Advisory Database on October 25, 2022, and received its last update on January 7, 2023 (GitHub Advisory, RustSec Advisory).

The vulnerability occurs when sending Matrix requests using the affected versions of matrix-sdk in applications that implement logging with tracing-subscriber. Specifically, when the logging configuration includes fields of tracing spans, such as the default text output from the fmt module, the logs inadvertently expose the user's access token. This issue was documented in detail through practical examples showing how the access tokens appear in log outputs (Matrix SDK Issue).

The primary impact of this vulnerability is the exposure of user access tokens in application logs. Access tokens are sensitive authentication credentials, and their exposure in logs could potentially lead to unauthorized access to user accounts if the logs are compromised or inadvertently shared (GitHub Advisory).

The vulnerability has been patched in matrix-sdk version 0.6.2. Users should upgrade to this version or later to prevent the exposure of access tokens in logs. Systems running versions prior to 0.6.0 are not affected by this vulnerability (GitHub Advisory, RustSec Advisory).