GHSA-pfw4-xjgm-267c

Suggest an improvement
Source
https://github.com/advisories/GHSA-pfw4-xjgm-267c
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-pfw4-xjgm-267c/GHSA-pfw4-xjgm-267c.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-pfw4-xjgm-267c
Aliases
Published
2022-09-15T03:28:01Z
Modified
2023-11-08T04:10:14.812822Z
Severity
  • 7.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
Summary
Dendrite signature checks not applied to some retrieved missing events
Details

Impact

Events retrieved from a remote homeserver using /get_missing_events did not have their signatures verified correctly. This could potentially allow a remote homeserver to provide invalid/modified events to Dendrite via this endpoint.

Note that this does not apply to events retrieved through other endpoints (e.g. /event, /state) as they have been correctly verified.

Homeservers that have federation disabled are not vulnerable.

Patches

The problem has been fixed in Dendrite 0.9.8.

Workarounds

There are no workarounds.

Special thanks

Tulir Asokan, who spotted the issue originally.

References

Affected packages

Go / github.com/matrix-org/dendrite

Package

Name
github.com/matrix-org/dendrite
View open source insights on deps.dev
Purl
pkg:golang/github.com/matrix-org/dendrite

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.9.8