USN-7444-1

See a problem?
Please try reporting it to the source first.
Source
https://ubuntu.com/security/notices/USN-7444-1
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-7444-1.json
JSON Data
https://api.osv.dev/v1/vulns/USN-7444-1
Related
Published
2025-04-22T17:24:26.205654Z
Modified
2025-04-22T17:24:26.205654Z
Summary
matrix-synapse vulnerabilities
Details

It was discovered that Synapse network policies could be bypassed via specially crafted URLs. An attacker could possibly use this issue to bypass authentication mechanisms. (CVE-2023-32683)

It was discovered that Synapse exposed cached device information. An attacker could possibly use this issue to gain access to sensitive information. (CVE-2023-43796)

It was discovered that Synapse could be tricked into rejecting state changes in rooms. An attacker could possibly use this issue to cause Synapse to stop functioning properly, resulting in a denial of service. This issue was only fixed in Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2022-39374)

It was discovered that Synapse stored user credentials in a server's database temporarily. An attacker could possibly use this issue to gain access to sensitive information. This issue was only fixed in Ubuntu 22.04 LTS. (CVE-2023-41335)

It was discovered that Synapse could incorrectly respond to server authorization events. An attacker could possibly use this issue to bypass authentication mechanisms. This issue was only fixed in Ubuntu 22.04 LTS. (CVE-2022-39335)

It was discovered that Synapse could be manipulated to mark messages as read when they had not been viewed. An attacker could possibly use this issue to perform repudiation-based attacks. This issue was only fixed in Ubuntu 22.04 LTS. (CVE-2023-42453)

It was discovered that Synapse had several memory-related issues. An attacker could possibly use this issue to cause Synapse to crash, resulting in a denial of service. This issue was only fixed in Ubuntu 22.04 LTS. (CVE-2024-31208)

It was discovered that Synapse could run external tools due to a unchecked thumbnail rendering routine. An attacker could possibly use this issue to cause Synapse to crash, resulting in a denial of service, or execute arbitrary code. This issue was only fixed in Ubuntu 22.04 LTS. (CVE-2024-53863)

References

Affected packages

Ubuntu:Pro:18.04:LTS / matrix-synapse

Package

Name
matrix-synapse
Purl
pkg:deb/ubuntu/matrix-synapse@0.24.0+dfsg-1ubuntu0.1~esm4?arch=source&distro=esm-apps/bionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.24.0+dfsg-1ubuntu0.1~esm4

Affected versions

0.*

0.19.2+dfsg-6
0.24.0+dfsg-1
0.24.0+dfsg-1ubuntu0.1~esm1

Ecosystem specific 

{
    "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
    "binaries": [
        {
            "binary_version": "0.24.0+dfsg-1ubuntu0.1~esm4",
            "binary_name": "matrix-synapse"
        }
    ]
}

Ubuntu:Pro:20.04:LTS / matrix-synapse

Package

Name
matrix-synapse
Purl
pkg:deb/ubuntu/matrix-synapse@1.11.0-1ubuntu0.1~esm2?arch=source&distro=esm-apps/focal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.11.0-1ubuntu0.1~esm2

Affected versions

1.*

1.3.0-1
1.4.0-1
1.5.0-1
1.5.1-1
1.6.0-1
1.6.1-1
1.7.0-2
1.7.1-1
1.7.2-1
1.7.3-1
1.8.0-1
1.9.0-1
1.9.1-1
1.10.0-1
1.10.0-2
1.11.0-1

Ecosystem specific 

{
    "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
    "binaries": [
        {
            "binary_version": "1.11.0-1ubuntu0.1~esm2",
            "binary_name": "matrix-synapse"
        }
    ]
}

Ubuntu:Pro:22.04:LTS / matrix-synapse

Package

Name
matrix-synapse
Purl
pkg:deb/ubuntu/matrix-synapse@1.53.0-1ubuntu0.1~esm2?arch=source&distro=esm-apps/jammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.53.0-1ubuntu0.1~esm2

Affected versions

1.*

1.39.0-1
1.47.0-2
1.47.1-1
1.48.0-1
1.49.0-1
1.49.2-1
1.50.1-1
1.50.2-1
1.51.0-1
1.52.0-1
1.53.0-1

Ecosystem specific 

{
    "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
    "binaries": [
        {
            "binary_version": "1.53.0-1ubuntu0.1~esm2",
            "binary_name": "matrix-synapse"
        }
    ]
}