CVE-2022-36009

Incorrect parsing of access level in gomatrixserverlib and dendrite

Severity Score

8.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

gomatrixserverlib is a Go library for matrix protocol federation. Dendrite is a Matrix homeserver written in Go, an alternative to Synapse. The power level parsing within gomatrixserverlib was failing to parse the `"events_default"` key of the `m.room.power_levels` event, defaulting the event default power level to zero in all cases. Power levels are the matrix terminology for user access level. In rooms where the `"events_default"` power level had been changed, this could result in events either being incorrectly authorised or rejected by Dendrite servers. gomatrixserverlib contains a fix as of commit `723fd49` and Dendrite 0.9.3 has been updated accordingly. Matrix rooms where the `"events_default"` power level has not been changed from the default of zero are not vulnerable. Users are advised to upgrade. There are no known workarounds for this issue.

gomatrixserverlib es una biblioteca Go para la federación de protocolos de Matrix. Dendrite es un servidor doméstico de Matrix escrito en Go, una alternativa a Synapse. El análisis de los niveles de potencia dentro de gomatrixserverlib fallaba al analizar la clave ""events_default" del evento "m.room.power_levels", poniendo a cero el nivel de potencia por defecto del evento en todos los casos. Los niveles de potencia son la terminología de la matriz para el nivel de acceso del usuario. En las salas en las que el nivel de potencia ""events_default"" había sido cambiado, esto podía resultar en que los eventos fueran incorrectamente autorizados o rechazados por los servidores Dendrite. gomatrixserverlib contiene una corrección desde el commit "723fd49" y Dendrite versión 0.9.3 ha sido actualizado en consecuencia. Las salas de matrices en las que el nivel de potencia ""events_default"" no ha sido cambiado del valor predeterminado de cero no son vulnerables. Es recomendado a usuarios actualizar. No se presentan mitigaciones conocidas para este problema.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-07-15 CVE Reserved
2022-08-19 CVE Published
2024-04-09 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-863: Incorrect Authorization

CAPEC

References (3)

URL	Tag	Source
https://github.com/matrix-org/gomatrixserverlib/security/advisories/GHSA-grvv-h2f9-7v9c	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://github.com/matrix-org/gomatrixserverlib/commit/723fd495dde835d078b9f2074b6b62c06dea4575	2022-08-24

URL	Date	SRC
https://matrix.org/docs/guides/moderation/#power-levels	2022-08-24

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Matrix Search vendor "Matrix"		Dendrite Search vendor "Matrix" for product "Dendrite"				<= 0.9.2 Search vendor "Matrix" for product "Dendrite" and version " <= 0.9.2"		-		Affected
Matrix Search vendor "Matrix"		Gomatrixserverlib Search vendor "Matrix" for product "Gomatrixserverlib"				-		-		Affected