CVE-2023-32323 – Synapse Outgoing federation to specific hosts can be disabled by sending malicious invites
https://notcve.org/view.php?id=CVE-2023-32323
Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. A malicious user on a Synapse homeserver X with permission to create certain state events can disable outbound federation from X to an arbitrary homeserver Y. Synapse instances with federation disabled are not affected. In versions of Synapse up to and including 1.73, Synapse did not limit the size of `invite_room_state`, meaning that it was possible to create an arbitrarily large invite event. Synapse 1.74 refuses to create oversized `invite_room_state` fields. • https://github.com/matrix-org/synapse/issues/14492 https://github.com/matrix-org/synapse/pull/14642 https://github.com/matrix-org/synapse/security/advisories/GHSA-f3wc-3vxv-xmvr https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJIJRP5ZH6B3KGFLHCAKR2IX2Y4Z25QD • CWE-20: Improper Input Validation •
CVE-2022-47632 – Razer Synapse 3.7.0731.072516 Local Privilege Escalation
https://notcve.org/view.php?id=CVE-2022-47632
Razer Synapse before 3.7.0830.081906 allows privilege escalation due to an unsafe installation path, improper privilege management, and improper certificate validation. Attackers can place malicious DLLs into %PROGRAMDATA%\Razer\Synapse3\Service\bin if they do so before the service is installed and if they deny write access for the SYSTEM user. Although the service will not start if the malicious DLLs are unsigned, it suffices to use self-signed DLLs. The validity of the DLL signatures is not checked. As a result, local Windows users can abuse the Razer driver installer to obtain administrative privileges on Windows. • http://packetstormsecurity.com/files/170772/Razer-Synapse-3.7.0731.072516-Local-Privilege-Escalation.html http://packetstormsecurity.com/files/174696/Razer-Synapse-Race-Condition-DLL-Hijacking.html http://seclists.org/fulldisclosure/2023/Sep/6 https://syss.de https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-047.txt • CWE-427: Uncontrolled Search Path Element •
CVE-2022-31152 – Synapse vulnerable to denial of service (DoS) due to incorrect application of event authorization rules
https://notcve.org/view.php?id=CVE-2022-31152
Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. The Matrix specification specifies a list of [event authorization rules](https://spec.matrix.org/v1.2/rooms/v9/#authorization-rules) which must be checked when determining if an event should be accepted into a room. In versions of Synapse up to and including version 1.61.0, some of these rules are not correctly applied. An attacker could craft events which would be accepted by Synapse but not a spec-conformant server, potentially causing divergence in the room state between servers. Administrators of homeservers with federation enabled are advised to upgrade to version 1.62.0 or higher. • https://github.com/matrix-org/synapse/pull/13087 https://github.com/matrix-org/synapse/pull/13088 https://github.com/matrix-org/synapse/releases/tag/v1.62.0 https://github.com/matrix-org/synapse/security/advisories/GHSA-jhjh-776m-4765 • CWE-703: Improper Check or Handling of Exceptional Conditions CWE-755: Improper Handling of Exceptional Conditions •
CVE-2021-44226 – Razer Synapse 3.6.x DLL Hijacking
https://notcve.org/view.php?id=CVE-2021-44226
Razer Synapse before 3.7.0228.022817 allows privilege escalation because it relies on %PROGRAMDATA%\Razer\Synapse3\Service\bin even if %PROGRAMDATA%\Razer has been created by any unprivileged user before Synapse is installed. The unprivileged user may have placed Trojan horse DLLs there. Razer Synapse versiones anteriores a 3.7.0228.022817, permite una escalada de privilegios porque es basado en %PROGRAMDATA%\Razer\Synapse3\Service\bin incluso si %PROGRAMDATA%\Razer ha sido creado por cualquier usuario no privilegiado antes de la instalación de Synapse. El usuario no privilegiado puede haber colocado allí DLLs troyanos Razer Synapse versions prior to 3.7.0228.022817 suffer from a dll hijacking vulnerability. • http://packetstormsecurity.com/files/166485/Razer-Synapse-3.6.x-DLL-Hijacking.html http://packetstormsecurity.com/files/170772/Razer-Synapse-3.7.0731.072516-Local-Privilege-Escalation.html http://packetstormsecurity.com/files/174696/Razer-Synapse-Race-Condition-DLL-Hijacking.html http://seclists.org/fulldisclosure/2022/Mar/51 http://seclists.org/fulldisclosure/2023/Jan/26 http://seclists.org/fulldisclosure/2023/Sep/6 https://www.razer.com/community https://www.syss.de/fileadmin/dokumente/Publikationen& • CWE-427: Uncontrolled Search Path Element •
CVE-2017-15708
https://notcve.org/view.php?id=CVE-2017-15708
In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit RMI access to trusted users only. Further upgrading to 3.0.1 version will eliminate the risk of having said Commons Collection version. • https://github.com/HuSoul/CVE-2017-15708 http://www.securityfocus.com/bid/102154 https://lists.apache.org/thread.html/77f2accf240d25d91b47033e2f8ebec84ffbc6e6627112b2f98b66c9%40%3Cdev.synapse.apache.org%3E https://lists.apache.org/thread.html/r0fb289cd38c915b9a13a3376134f96222dd9100f1ef66b41631865c6%40%3Ccommits.doris.apache.org%3E https://security.gentoo.org/glsa/202107-37 https://www.oracle.com/security-alerts/cpujan2020.html https://www.oracle.com/security-alerts/cpujul2020.html • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •