logo

Database

Insufficient data authenticity validation In github.com/matrix-org/dendrite

Description

Dendrite signature checks not applied to some retrieved missing events

Impact

Events retrieved from a remote homeserver using /get_missing_events did not have their signatures verified correctly. This could potentially allow a remote homeserver to provide invalid/modified events to Dendrite via this endpoint.

Note that this does not apply to events retrieved through other endpoints (e.g. /event, /state) as they have been correctly verified.

Homeservers that have federation disabled are not vulnerable.

Patches

The problem has been fixed in Dendrite 0.9.8.

Workarounds

There are no workarounds.

Special thanks

Tulir Asokan, who spotted the issue originally.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2022-392002. NVD-2022-392003. OSV-2022-392004. GHSA-pfw4-xjgm-267c5. GCVE-2022-39200

References

1. https://github.com/matrix-org/dendrite/security/advisories/GHSA-pfw4-xjgm-267c2. https://github.com/matrix-org/dendrite/commit/2792d0490f3771488bad346981b8c26479a872c3

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.