CVSS: 4.9EPSS: 0%CPEs: 3EXPL: 0CVE-2023-45129 – matrix-synapse vulnerable to denial of service due to malicious server ACL events
https://notcve.org/view.php?id=CVE-2023-45129
Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. Prior to version 1.94.0, a malicious server ACL event can impact performance temporarily or permanently leading to a persistent denial of service. Homeservers running on a closed federation (which presumably do not need to use server ACLs) are not affected. Server administrators are advised to upgrade to Synapse 1.94.0 or later. As a workaround, rooms with malicious server ACL events can be purged and blocked using the admin API. • https://github.com/matrix-org/synapse/pull/16360 https://github.com/matrix-org/synapse/security/advisories/GHSA-5chr-wjw5-3gq4 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KEVRB4MG5UXQ5RLZHSUJXM5GWEBYYS5B https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N6P4QULVUE254WI7XF2LWWOGHCYVFXFY https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WRO4MPQ6HOXIUZM6RJP6VTCTMV7RD2T3 https://matrix-org.github.io/synapse/latest • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-43656 – Sandbox escape for instances that have enabled transformation functions in matrix-hookshot
https://notcve.org/view.php?id=CVE-2023-43656
matrix-hookshot is a Matrix bot for connecting to external services like GitHub, GitLab, JIRA, and more. Instances that have enabled transformation functions (those that have `generic.allowJsTransformationFunctions` in their config), may be vulnerable to an attack where it is possible to break out of the `vm2` sandbox and as a result Hookshot will be vulnerable to this. This problem is only likely to affect users who have allowed untrusted users to apply their own transformation functions. If you have only enabled a limited set of trusted users, this threat is reduced (though not eliminated). Version 4.5.0 and above of hookshot include a new sandbox library which should better protect users. • https://github.com/matrix-org/matrix-hookshot/commit/dc126afa6af86d66aefcd23a825326f405bcc894 https://github.com/matrix-org/matrix-hookshot/security/advisories/GHSA-fr97-pv6w-4cj6 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 3.7EPSS: 0%CPEs: 3EXPL: 0CVE-2023-41335 – Temporary storage of plaintext passwords during password changes in matrix synapse
https://notcve.org/view.php?id=CVE-2023-41335
Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. When users update their passwords, the new credentials may be briefly held in the server database. While this doesn't grant the server any added capabilities—it already learns the users' passwords as part of the authentication process—it does disrupt the expectation that passwords won't be stored in the database. As a result, these passwords could inadvertently be captured in database backups for a longer duration. These temporarily stored passwords are automatically erased after a 48-hour window. • https://github.com/matrix-org/synapse/pull/16272 https://github.com/matrix-org/synapse/security/advisories/GHSA-4f74-84v3-j9q5 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AFB2Y3S2VCPCN5P2XCZTG24MBMZ7DM4 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/65QPC55I4D27HIZP7H2NQ34EOXHPP4AO https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N6P4QULVUE254WI7XF2LWWOGHCYVFXFY https://security.gentoo.org/glsa/202401-12 • CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2023-42453 – Improper validation of receipts allows forged read receipts in matrix synapse
https://notcve.org/view.php?id=CVE-2023-42453
Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. Users were able to forge read receipts for any event (if they knew the room ID and event ID). Note that the users were not able to view the events, but simply mark it as read. This could be confusing as clients will show the event as read by the user, even if they are not in the room. This issue has been patched in version 1.93.0. • https://github.com/matrix-org/synapse/pull/16327 https://github.com/matrix-org/synapse/security/advisories/GHSA-7565-cq32-vx2x https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AFB2Y3S2VCPCN5P2XCZTG24MBMZ7DM4 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/65QPC55I4D27HIZP7H2NQ34EOXHPP4AO https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N6P4QULVUE254WI7XF2LWWOGHCYVFXFY https://security.gentoo.org/glsa/202401-12 • CWE-285: Improper Authorization •
CVSS: 3.7EPSS: 0%CPEs: 1EXPL: 0CVE-2023-38700 – matrix-appservice-irc events can be crafted to leak parts of targeted messages from other bridged rooms
https://notcve.org/view.php?id=CVE-2023-38700
matrix-appservice-irc is a Node.js IRC bridge for Matrix. Prior to version 1.0.1, it was possible to craft an event such that it would leak part of a targeted message event from another bridged room. This required knowing an event ID to target. Version 1.0.1n fixes this issue. As a workaround, set the `matrixHandler.eventCacheSize` config value to `0`. • https://github.com/matrix-org/matrix-appservice-irc/commit/8bbd2b69a16cbcbeffdd9b5c973fd89d61498d75 https://github.com/matrix-org/matrix-appservice-irc/releases/tag/1.0.1 https://github.com/matrix-org/matrix-appservice-irc/security/advisories/GHSA-c7hh-3v6c-fj4q • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •