Page 4 of 38 results (0.003 seconds)

CVSS: 3.5EPSS: 0%CPEs: 3EXPL: 0

Matrix is an ecosystem for open federated Instant Messaging and Voice over IP. In versions 1.41.0 and prior, unauthorised users can access the membership (list of members, with their display names) of a room if they know the ID of the room. The vulnerability is limited to rooms with `shared` history visibility. Furthermore, the unauthorised user must be using an account on a vulnerable homeserver that is in the room. Server administrators should upgrade to 1.41.1 or later in order to receive the patch. • https://github.com/matrix-org/synapse/commit/cb35df940a https://github.com/matrix-org/synapse/releases/tag/v1.41.1 https://github.com/matrix-org/synapse/security/advisories/GHSA-3x4c-pq33-4w3q https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2VHDEPCZ22GJFMZCWA2XZAGPOEV72POF https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PXT7ID7DNBRN2TVTETU3SYQHJKEG6PXN • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-863: Incorrect Authorization •

CVSS: 3.5EPSS: 0%CPEs: 3EXPL: 0

Matrix is an ecosystem for open federated Instant Messaging and Voice over IP. In versions 1.41.0 and prior, unauthorised users can access the name, avatar, topic and number of members of a room if they know the ID of the room. This vulnerability is limited to homeservers where the vulnerable homeserver is in the room and untrusted users are permitted to create groups (communities). By default, only homeserver administrators can create groups. However, homeserver administrators can already access this information in the database or using the admin API. • https://github.com/matrix-org/synapse/commit/cb35df940a https://github.com/matrix-org/synapse/releases/tag/v1.41.1 https://github.com/matrix-org/synapse/security/advisories/GHSA-jj53-8fmw-f2w2 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2VHDEPCZ22GJFMZCWA2XZAGPOEV72POF https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PXT7ID7DNBRN2TVTETU3SYQHJKEG6PXN • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-863: Incorrect Authorization •

CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0

Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.33.2 "Push rules" can specify conditions under which they will match, including `event_match`, which matches event content against a pattern including wildcards. Certain patterns can cause very poor performance in the matching engine, leading to a denial-of-service when processing moderate length events. The issue is patched in version 1.33.2. • https://github.com/matrix-org/synapse/commit/03318a766cac9f8b053db2214d9c332a977d226c https://github.com/matrix-org/synapse/releases/tag/v1.33.2 https://github.com/matrix-org/synapse/security/advisories/GHSA-x345-32rc-8h85 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY • CWE-331: Insufficient Entropy CWE-400: Uncontrolled Resource Consumption •

CVSS: 6.3EPSS: 0%CPEs: 2EXPL: 0

Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 requests to user provided domains were not restricted to external IP addresses when transitional IPv6 addresses were used. Outbound requests to federation, identity servers, when calculating the key validity for third-party invite events, sending push notifications, and generating URL previews are affected. This could cause Synapse to make requests to internal infrastructure on dual-stack networks. • https://github.com/matrix-org/synapse/pull/9240 https://github.com/matrix-org/synapse/security/advisories/GHSA-5wrh-4jwv-5w78 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY https://pypi.org/project/matrix-synapse • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •

CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0

Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identifiers could cause excessive use of disk space and memory leading to resource exhaustion. Note that the groups feature is not part of the Matrix specification and the chosen maximum lengths are arbitrary. Not all clients might abide by them. • https://github.com/matrix-org/synapse/pull/9321 https://github.com/matrix-org/synapse/pull/9393 https://github.com/matrix-org/synapse/security/advisories/GHSA-jrh7-mhhx-6h88 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY https://pypi.org/project/matrix-synapse • CWE-20: Improper Input Validation •