HIGH 8.8
GHSA-fmvh-rvq5-hhjx
Matrix Synapse Improper Signature Validation
Details
Matrix Synapse before 0.33.3.1 and 0.33.2.1 allows remote attackers to spoof events and possibly have unspecified other impacts by leveraging improper transaction and event signature validation.
Are you affected?
Enter the version of the package you're using.
Affected packages
PyPI / matrix-synapse
Introduced in:
0.33.3 Fixed in: 0.33.3.1 Fix
pip install --upgrade 'matrix-synapse>=0.33.3.1' PyPI / matrix-synapse
Introduced in:
0 Fixed in: 0.33.2.1 Fix
pip install --upgrade 'matrix-synapse>=0.33.2.1' References
- https://nvd.nist.gov/vuln/detail/CVE-2018-16515 [ADVISORY]
- https://github.com/matrix-org/synapse/issues/3796#event-1833126269 [WEB]
- https://github.com/matrix-org/synapse/commit/5bf8bc79ebc22c61968f2eb487714813fccbdb9b [WEB]
- https://github.com/matrix-org/synapse/commit/804dd41e18c449e711e443398b95c9f6c68b6fa2 [WEB]
- https://github.com/matrix-org/synapse/commit/a5a0bf5cf71caed3c4e3677d2bce667c147dadfc [WEB]
- https://github.com/matrix-org/synapse/commit/c127c8d0421f0228a46ebbe280c9537e8d8ea42b [WEB]
- https://github.com/matrix-org/synapse [PACKAGE]
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IRW7YR2H3ASUSYX4AO4KMY3FNVDNYW3P [WEB]
- https://matrix.org/blog/2018/09/06/critical-security-update-synapse-0-33-3-1 [WEB]