The Matrix specification specifies a list of event authorization rules which must be checked when determining if an event should be accepted into a room.
In versions of Synapse up to and including v1.61, some of these rules are not correctly applied. An attacker could craft events which would be accepted by Synapse but not a spec-conformant server, potentially causing divergence in the room state between servers.
Administrators of homeservers with federation enabled are advised to upgrade to v1.62.0 or higher.
federation_domain_whitelist
to an empty list ([]
).If you have any questions or comments about this advisory, e-mail us at security@matrix.org.
{ "nvd_published_at": "2022-09-02T20:15:00Z", "cwe_ids": [ "CWE-703", "CWE-755" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2022-08-31T21:25:37Z" }