GHSA-cppw-2mf8-qpm5

Source

https://github.com/advisories/GHSA-cppw-2mf8-qpm5

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-cppw-2mf8-qpm5/GHSA-cppw-2mf8-qpm5.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-cppw-2mf8-qpm5

Aliases

Published

2022-05-24T22:01:05Z

Modified

2024-09-24T17:09:27.034519Z

Severity

8.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L CVSS Calculator
8.8 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N CVSS Calculator

Summary

Improper Verification of Cryptographic Signature in matrix-synapse

Details

Matrix Synapse before 1.5.0 mishandles signature checking on some federation APIs. Events sent over /send_join, /send_leave, and /invite may not be correctly signed, or may not come from the expected servers.

References

Affected packages

PyPI / matrix-synapse

Package

Name: matrix-synapse; View open source insights on deps.dev
Purl: pkg:pypi/matrix-synapse

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.5.0

Affected versions

0.*

0.33.5

0.33.5.1

0.33.6rc1

0.33.6

0.33.7rc1

0.33.7rc2

0.33.7

0.33.8rc2

0.33.8

0.33.9

0.34.0rc1

0.34.0rc2

0.34.0

0.34.0.1

0.34.1.1

0.99.0rc1

0.99.0rc2

0.99.0rc3

0.99.0rc4

0.99.0

0.99.1rc1

0.99.1rc2

0.99.1

0.99.1.1

0.99.2rc1

0.99.2

0.99.3rc1

0.99.3

0.99.3.1

0.99.3.2

0.99.4rc1

0.99.4

0.99.5rc1

0.99.5

0.99.5.1

0.99.5.2

1.*

1.0.0rc1

1.0.0rc2

1.0.0rc3

1.0.0

1.1.0rc1

1.1.0rc2

1.1.0

1.2.0rc1

1.2.0rc2

1.2.0

1.2.1

1.3.0rc1

1.3.0

1.3.1

1.4.0rc1

1.4.0rc2

1.4.0

1.4.1rc1

1.4.1

1.5.0rc1

1.5.0rc2

Ecosystem specific

{
    "affected_functions": [
        "synapse.federation.federation_server.FederationServer.on_invite_request",
        "synapse.federation.federation_server.FederationServer.on_send_join_request",
        "synapse.federation.federation_server.FederationServer.on_send_leave_request"
    ]
}