logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2022-39374 matrix-synapse

Package

Manager: pip
Name: matrix-synapse
Vulnerable Version: >=1.62.0 <1.68.0rc1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00207 pctl0.43113

Details

Synapse Denial of service due to incorrect application of event authorization rules during state resolution ### Impact If Synapse and a malicious homeserver are both joined to the same room, the malicious homeserver can trick Synapse into accepting previously rejected events into its view of the current state of that room. This can be exploited in a way that causes all further messages and state changes sent in that room from the vulnerable homeserver to be rejected. Synapse homeservers are affected by this issue if and only if they are joined to rooms which members of untrusted homeservers are joined or invited to. - Synapse homeservers in rooms available over public federation **are** affected. - Synapse homeservers with federation disabled are not affected. - Synapse homeservers in a closed federation containing only trusted servers are not affected. - Synapse homeservers which are only joined to rooms with federation disabled[^1] are not affected. ### Patches Administrators of homeservers with federation enabled are advised to upgrade to 1.68.0 or higher. ### Workarounds * Federation can be disabled by setting [`federation_domain_whitelist`](https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#federation_domain_whitelist) to an empty list (`[]`). from the vulnerable homeserver to be rejected. This issue has been patched in version 1.68.0 ### References - https://github.com/matrix-org/synapse/pull/13723 [^1]: See `m.federate` in the [`m.room.create` definition](https://spec.matrix.org/v1.4/client-server-api/#mroomcreate). ### For more information If you have any questions or comments about this advisory, e-mail us at [security@matrix.org](mailto:security@matrix.org).

Metadata

Created: 2023-05-24T17:21:33Z
Modified: 2024-09-30T20:25:22Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-p9qp-c452-f9r7/GHSA-p9qp-c452-f9r7.json
CWE IDs: ["CWE-400"]
Alternative ID: GHSA-p9qp-c452-f9r7
Finding: F002
Auto approve: 1