Synapse Denial of service due to incorrect application of event authorization rules during state resolution
CVE-2022-39374

6.5MEDIUM

Key Information:

Vendor

Matrix-org

Status
Synapse
Vendor
CVE Published:
26 May 2023

What is CVE-2022-39374?

Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. If Synapse and a malicious homeserver are both joined to the same room, the malicious homeserver can trick Synapse into accepting previously rejected events into its view of the current state of that room. This can be exploited in a way that causes all further messages and state changes sent in that room from the vulnerable homeserver to be rejected. This issue has been patched in version 1.68.0

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

synapse >= 1.62.0, < 1.68.0

References

https://github.com/matrix-org/synapse/security/advisories...
x_refsource_CONFIRM
https://github.com/matrix-org/synapse/pull/13723
x_refsource_MISC
https://lists.fedoraproject.org/archives/list/package-ann...

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.