Incorrect parsing of access level in gomatrixserverlib and dendrite
CVE-2022-36009

5MEDIUM

Key Information:

Vendor: Matrix-org
Status: Gomatrixserverlib
Vendor: CVE Published:; 19 August 2022

What is CVE-2022-36009?

gomatrixserverlib is a Go library for matrix protocol federation. Dendrite is a Matrix homeserver written in Go, an alternative to Synapse. The power level parsing within gomatrixserverlib was failing to parse the "events_default" key of the m.room.power_levels event, defaulting the event default power level to zero in all cases. Power levels are the matrix terminology for user access level. In rooms where the "events_default" power level had been changed, this could result in events either being incorrectly authorised or rejected by Dendrite servers. gomatrixserverlib contains a fix as of commit 723fd49 and Dendrite 0.9.3 has been updated accordingly. Matrix rooms where the "events_default" power level has not been changed from the default of zero are not vulnerable. Users are advised to upgrade. There are no known workarounds for this issue.

Affected Version(s)

gomatrixserverlib < 0.9.3 for dendrite < 0.9.3 for dendrite

gomatrixserverlib < 723fd49 for gomatrixserverlib < 723fd49 for gomatrixserverlib

References

https://github.com/matrix-org/gomatrixserverlib/security/...

x_refsource_CONFIRM

https://github.com/matrix-org/gomatrixserverlib/commit/72...

x_refsource_MISC

https://matrix.org/docs/guides/moderation/#power-levels

x_refsource_MISC

CVSS V3.1

Score:

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 19, 2022
Vulnerability Reserved
Jul 15, 2022

Matrix-org

What is CVE-2022-36009?

Affected Version(s)

References

CVSS V3.1

Timeline