CVE-2022-39374
Synapse Denial of service due to incorrect application of event authorization rules during state resolution
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. If Synapse and a malicious homeserver are both joined to the same room, the malicious homeserver can trick Synapse into accepting previously rejected events into its view of the current state of that room. This can be exploited in a way that causes all further messages and state changes sent in that room from the vulnerable homeserver to be rejected. This issue has been patched in version 1.68.0
Synapse es un servidor doméstico Matrix de código abierto escrito y mantenido por la Fundación Matrix.org. Si Synapse y un servidor doméstico malicioso están unidos a la misma habitación, el servidor doméstico malicioso puede engañar a Synapse para que acepte eventos previamente rechazados en su vista del estado actual de esa sala. Esto se puede explotar de una manera que haga que todos los mensajes adicionales y los cambios de estado enviados en esa habitación desde el servidor doméstico vulnerable sean rechazados. Este problema se ha corregido en la versión 1.68.0
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-09-02 CVE Reserved
- 2023-05-26 CVE Published
- 2024-06-01 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-400: Uncontrolled Resource Consumption
CAPEC
References (3)
URL | Tag | Source |
---|---|---|
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJIJRP5ZH6B3KGFLHCAKR2IX2Y4Z25QD |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://github.com/matrix-org/synapse/pull/13723 | 2023-09-18 |
URL | Date | SRC |
---|---|---|
https://github.com/matrix-org/synapse/security/advisories/GHSA-p9qp-c452-f9r7 | 2023-09-18 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Matrix Search vendor "Matrix" | Synapse Search vendor "Matrix" for product "Synapse" | >= 1.62.0 < 1.68.0 Search vendor "Matrix" for product "Synapse" and version " >= 1.62.0 < 1.68.0" | - |
Affected
|