Lucene search

GoogleOSV:GHSA-FMVH-RVQ5-HHJX

HistoryMay 13, 2022 - 1:50 a.m.

Matrix Synapse Improper Signature Validation

2022-05-1301:50:21

Google

osv.dev

matrix

synapse

improper

signature

validation

software

remote

attackers

spoof

events

AI Score

Confidence

High

EPSS

0.003

Percentile

70.2%

JSON

Matrix Synapse before 0.33.3.1 and 0.33.2.1 allows remote attackers to spoof events and possibly have unspecified other impacts by leveraging improper transaction and event signature validation.

References

github.com/matrix-org/synapse

github.com/matrix-org/synapse/commit/5bf8bc79ebc22c61968f2eb487714813fccbdb9b

github.com/matrix-org/synapse/commit/804dd41e18c449e711e443398b95c9f6c68b6fa2

github.com/matrix-org/synapse/commit/a5a0bf5cf71caed3c4e3677d2bce667c147dadfc

github.com/matrix-org/synapse/commit/c127c8d0421f0228a46ebbe280c9537e8d8ea42b

github.com/matrix-org/synapse/issues/3796#event-1833126269

lists.fedoraproject.org/archives/list/[email protected]/message/IRW7YR2H3ASUSYX4AO4KMY3FNVDNYW3P

matrix.org/blog/2018/09/06/critical-security-update-synapse-0-33-3-1

nvd.nist.gov/vuln/detail/CVE-2018-16515