CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS
Percentile
79.2%
Severity: High
Date : 2019-01-24
CVE-ID : CVE-2019-5885
Package : matrix-synapse
Type : private key recovery
Remote : No
Link : https://security.archlinux.org/AVG-846
The package matrix-synapse before version 0.34.1.1-1 is vulnerable to
private key recovery.
Upgrade to 0.34.1.1-1.
The problem has been fixed upstream in version 0.34.1.1.
None.
matrix-synapse before 0.34.1 is vulnerable to private key recovery as
synapse will attempt to derive a secret key from other secrets
specified in the configuration file for “macaroon_secret_key”. However,
in all versions of Synapse up to and including 0.34.0, this process was
faulty and a predictable value was used instead.
If no private key is specified a predictable key is used allowing
private key recover.
https://matrix.org/blog/2019/01/15/further-details-on-critical-security-update-in-synapse-affecting-all-versions-prior-to-0-34-1-cve-2019-5885/
https://security.archlinux.org/CVE-2019-5885
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ArchLinux | any | any | matrix-synapse | < 0.34.1.1-1 | UNKNOWN |
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS
Percentile
79.2%