Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-39374

Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. If Synapse and a malicious homeserver are both joined to the same room, the malicious homeserver can trick Synapse into accepting previously rejected events into its view of the current state of that room. This can be exploited in a way that causes all further messages and state changes sent in that room from the vulnerable homeserver to be rejected. This issue has been patched in version 1.68.0

Published

2023-05-26T14:15:10.257

Last Modified

2025-02-13T17:15:42.717

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 6.5 (MEDIUM)

Weaknesses

Type: Secondary
CWE-400
Type: Primary
CWE-400

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	matrix	synapse	< 1.68.0	Yes

References

https://github.com/matrix-org/synapse/pull/13723 Issue Tracking, Patch ([email protected])
https://github.com/matrix-org/synapse/security/advisories/GHSA-p9qp-c452-f9r7 Mitigation, Vendor Advisory ([email protected])
https://lists.fedoraproject.org/archives/list/[email protected]/message/UJIJRP5ZH6B3KGFLHCAKR2IX2Y4Z25QD/ ([email protected])
https://github.com/matrix-org/synapse/pull/13723 Issue Tracking, Patch (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/matrix-org/synapse/security/advisories/GHSA-p9qp-c452-f9r7 Mitigation, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/[email protected]/message/UJIJRP5ZH6B3KGFLHCAKR2IX2Y4Z25QD/ (af854a3a-2127-422b-91ae-364da2661108)