Vulnerability Description
Matrix Synapse before 0.34.0.1, when the macaroon_secret_key authentication parameter is not set, uses a predictable value to derive a secret key and other secrets which could allow remote attackers to impersonate users.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Matrix | Synapse | < 0.34.0.1 |
| Fedoraproject | Fedora | 28 |
Related Weaknesses (CWE)
References
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://matrix.org/blog/2019/01/10/critical-security-update-synapse-0-34-0-1-synVendor Advisory
- https://matrix.org/blog/2019/01/15/further-details-on-critical-security-update-iVendor Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://matrix.org/blog/2019/01/10/critical-security-update-synapse-0-34-0-1-synVendor Advisory
- https://matrix.org/blog/2019/01/15/further-details-on-critical-security-update-iVendor Advisory
FAQ
What is CVE-2019-5885?
CVE-2019-5885 is a vulnerability with a CVSS score of 7.5 (HIGH). Matrix Synapse before 0.34.0.1, when the macaroon_secret_key authentication parameter is not set, uses a predictable value to derive a secret key and other secrets which could allow remote attackers t...
How severe is CVE-2019-5885?
CVE-2019-5885 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-5885?
Check the references section above for vendor advisories and patch information. Affected products include: Matrix Synapse, Fedoraproject Fedora.