Vulnerability Description
Matrix is an ecosystem for open federated Instant Messaging and VoIP. Synapse is a reference "homeserver" implementation of Matrix. A malicious or poorly-implemented homeserver can inject malformed events into a room by specifying a different room id in the path of a `/send_join`, `/send_leave`, `/invite` or `/exchange_third_party_invite` request. This can lead to a denial of service in which future events will not be correctly sent to other servers over federation. This affects any server which accepts federation requests from untrusted servers. The Matrix Synapse reference implementation before version 1.23.1 the implementation is vulnerable to this injection attack. Issue is fixed in version 1.23.1. As a workaround homeserver administrators could limit access to the federation API to trusted servers (for example via `federation_domain_whitelist`).
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Matrix | Synapse | < 1.23.1 |
| Fedoraproject | Fedora | 32 |
Related Weaknesses (CWE)
References
- https://github.com/matrix-org/synapse/blob/develop/CHANGES.md#synapse-1231-2020-Release NotesThird Party Advisory
- https://github.com/matrix-org/synapse/commit/3ce2f303f15f6ac3dc352298972dc6e04d9PatchThird Party Advisory
- https://github.com/matrix-org/synapse/pull/8776PatchThird Party Advisory
- https://github.com/matrix-org/synapse/security/advisories/GHSA-hxmp-pqch-c8mmThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://github.com/matrix-org/synapse/blob/develop/CHANGES.md#synapse-1231-2020-Release NotesThird Party Advisory
- https://github.com/matrix-org/synapse/commit/3ce2f303f15f6ac3dc352298972dc6e04d9PatchThird Party Advisory
- https://github.com/matrix-org/synapse/pull/8776PatchThird Party Advisory
- https://github.com/matrix-org/synapse/security/advisories/GHSA-hxmp-pqch-c8mmThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
FAQ
What is CVE-2020-26257?
CVE-2020-26257 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Matrix is an ecosystem for open federated Instant Messaging and VoIP. Synapse is a reference "homeserver" implementation of Matrix. A malicious or poorly-implemented homeserver can inject malformed ev...
How severe is CVE-2020-26257?
CVE-2020-26257 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-26257?
Check the references section above for vendor advisories and patch information. Affected products include: Matrix Synapse, Fedoraproject Fedora.