GHSA-gwf7-vfjf-wf6x

Suggest an improvement
Source
https://github.com/advisories/GHSA-gwf7-vfjf-wf6x
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-gwf7-vfjf-wf6x/GHSA-gwf7-vfjf-wf6x.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-gwf7-vfjf-wf6x
Aliases
Published
2022-05-24T16:45:24Z
Modified
2024-09-30T20:38:01.214493Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
matrix-sydent and matrix-synapse Use Cryptographically Weak PRNG
Details

An issue was discovered in Matrix Sydent before 1.0.3 and Synapse before 0.99.3.1. Random number generation is mishandled, which makes it easier for attackers to predict a Sydent authentication token or a Synapse random ID.

Database specific
{
    "nvd_published_at": "2019-05-09T18:29:00Z",
    "cwe_ids": [
        "CWE-338"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-27T21:34:46Z"
}
References

Affected packages

PyPI / matrix-sydent

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.0.3

PyPI / matrix-synapse

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.99.3.1

Affected versions

0.*

0.33.5
0.33.5.1
0.33.6rc1
0.33.6
0.33.7rc1
0.33.7rc2
0.33.7
0.33.8rc2
0.33.8
0.33.9
0.34.0rc1
0.34.0rc2
0.34.0
0.34.0.1
0.34.1.1
0.99.0rc1
0.99.0rc2
0.99.0rc3
0.99.0rc4
0.99.0
0.99.1rc1
0.99.1rc2
0.99.1
0.99.1.1
0.99.2rc1
0.99.2
0.99.3rc1
0.99.3