Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2022-39335

Good to know:

icon

Date: May 26, 2023

Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. The Matrix Federation API allows remote homeservers to request the authorization events in a room. This is necessary so that a homeserver receiving some events can validate that those events are legitimate and permitted in their room. However, in versions of Synapse up to and including 1.68.0, a Synapse homeserver answering a query for authorization events does not sufficiently check that the requesting server should be able to access them. The issue was patched in Synapse 1.69.0. Homeserver administrators are advised to upgrade.

Language: Python

Severity Score

Related Resources (7)

https://github.com/matrix-org/synapse/issues/13288
https://github.com/matrix-org/synapse/security/advisories/GHSA-45cj-f97f-ggwv
https://github.com/matrix-org/synapse/pull/13823
https://security-tracker.debian.org/tracker/CVE-2022-39335
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T2MBNMZAFY4RCZL2VGBGAPKGB4JUPZVS/
https://nvd.nist.gov/vuln/detail/CVE-2022-39335
https://www.mend.io/vulnerability-database/CVE-2022-39335

Severity Score

Weakness Type (CWE)

Information Leak / Disclosure

CWE-200

Missing Authorization

CWE-862

Top Fix

icon

Upgrade Version

Upgrade to version matrix-synapse - 1.69.0

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): HIGH
Privileges Required (PR): LOW
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): LOW
Integrity (I): LOW
Availability (A): LOW

Do you need more information?

Contact Us