CVE-2019-5885

Matrix Synapse before 0.34.0.1, when the macaroonsecretkey authentication parameter is not set, uses a predictable value to derive a secret key and other secrets which could allow remote attackers to impersonate users.

References

Affected packages

Git / github.com/matrix-org/synapse

Affected ranges

Type

GIT

Repo

https://github.com/matrix-org/synapse

Events

Introduced

Fixed

2dd30ba827baaff0284e715b43f02224630d87cc

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.34.0.1"
        }
    ]
}

Affected versions

Other

hhs-1

hhs-2

hhs-3

hhs-5

hhs-6

hhs-7

hhs-8

v0.*

v0.10.0

v0.10.0-r1

v0.10.0-r2

v0.11.0

v0.11.0-r1

v0.11.0-r2

v0.11.1

v0.12.0

v0.13.1

v0.13.2

v0.13.3

v0.14.0

v0.16.0

v0.16.1

v0.16.1-r1

v0.17.0

v0.17.1

v0.17.2

v0.17.3

v0.18.0

v0.18.1

v0.18.2

v0.18.3

v0.18.4

v0.18.5

v0.2.0

v0.2.1

v0.2.1a

v0.2.2

v0.23.0-rc1

v0.23.0-rc2

v0.25.0-rc1

v0.28.0-rc1

v0.3.0

v0.3.3

v0.3.4

v0.32.0

v0.32.0rc1

v0.32.2

v0.34.0

v0.34.0rc1

v0.34.0rc2

v0.4.1

v0.4.2

v0.5.0

v0.5.1

v0.5.2

v0.5.3

v0.5.3a

v0.5.3b

v0.5.3c

v0.5.4

v0.5.4a

v0.6.0

v0.6.0a

v0.6.0b

v0.6.1

v0.6.1a

v0.6.1b

v0.6.1c

v0.6.1d

v0.6.1e

v0.6.1f

v0.7.0

v0.7.0a

v0.7.0b

v0.7.0c

v0.7.0d

v0.7.0e

v0.7.0f

v0.7.1

v0.7.1-r1

v0.7.1-r2

v0.7.1-r3

v0.7.1-r4

v0.8.0

v0.8.1

v0.8.1-r1

v0.8.1-r2

v0.8.1-r3

v0.8.1-r4

v0.9.0

v0.9.0-r1

v0.9.0-r2

v0.9.0-r3

v0.9.0-r4

v0.9.0-r5

v0.9.1

v0.9.2

v0.9.2-r1

v0.9.2-r2

v0.9.3

Database specific

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "28"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "29"
            }
        ]
    }
]

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-5885.json"