Signature checks not applied to some retrieved missing events
CVE-2022-39200

7.3HIGH

Key Information:

Vendor: Matrix-org
Status: Dendrite
Vendor: CVE Published:; 12 September 2022

What is CVE-2022-39200?

Dendrite is a Matrix homeserver written in Go. In affected versions events retrieved from a remote homeserver using the /get_missing_events path did not have their signatures verified correctly. This could potentially allow a remote homeserver to provide invalid/modified events to Dendrite via this endpoint. Note that this does not apply to events retrieved through other endpoints (e.g. /event, /state) as they have been correctly verified. Homeservers that have federation disabled are not vulnerable. The problem has been fixed in Dendrite 0.9.8. Users are advised to upgrade. There are no known workarounds for this issue.

Affected Version(s)

dendrite < 0.9.8

References

https://github.com/matrix-org/dendrite/security/advisorie...

x_refsource_CONFIRM

https://github.com/matrix-org/dendrite/commit/2792d0490f3...

x_refsource_MISC

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 12, 2022
Vulnerability Reserved
Sep 2, 2022

Matrix-org

What is CVE-2022-39200?

Affected Version(s)

References

CVSS V3.1

Timeline