GHSA-56w4-5538-8v8h

Source

https://github.com/advisories/GHSA-56w4-5538-8v8h

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-56w4-5538-8v8h/GHSA-56w4-5538-8v8h.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-56w4-5538-8v8h

Aliases

CVE-2024-53867

Published

2024-12-03T18:44:23Z

Modified

2024-12-03T19:12:14.054355Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Synapse Matrix has a partial room state leak via Sliding Sync

Details

Impact

The Sliding Sync feature on Synapse versions between 1.113.0rc1 and 1.120.0 can leak partial room state changes to users no longer in a room. Non-state events, like messages, are unaffected.

Patches

Synapse version 1.120.1 fixes the problem.

Workarounds

Disable Sliding Sync.

References

https://github.com/matrix-org/matrix-spec-proposals/pull/4186 https://github.com/element-hq/synapse/blob/d80cd57c54427687afcb48740d99219c88a0fff1/synapse/config/experimental.py#L341-L344

For more information

If you have any questions or comments about this advisory, please email us at security at element.io.

Database specific

{
    "nvd_published_at": "2024-12-03T17:15:12Z",
    "cwe_ids": [
        "CWE-497"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-12-03T18:44:23Z"
}

References

Affected packages

PyPI / matrix-synapse

Package

Name: matrix-synapse; View open source insights on deps.dev
Purl: pkg:pypi/matrix-synapse

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.113.0rc1

Fixed

1.120.1

Affected versions

1.*

1.113.0rc1

1.113.0

1.114.0rc1

1.114.0rc3

1.114.0

1.115.0rc1

1.115.0rc2

1.115.0

1.116.0rc1

1.116.0rc2

1.116.0

1.117.0rc1

1.117.0

1.118.0rc1

1.118.0

1.119.0rc2

1.119.0

1.120.0rc1

1.120.0