CVE-2022-36009 — MEDIUM (5.0)

Q: How severe is CVE-2022-36009?

CVE-2022-36009 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2022-36009?

Check the references section above for vendor advisories and patch information. Affected products include: Matrix Dendrite, Matrix Gomatrixserverlib.

Vulnerability Description

gomatrixserverlib is a Go library for matrix protocol federation. Dendrite is a Matrix homeserver written in Go, an alternative to Synapse. The power level parsing within gomatrixserverlib was failing to parse the `"events_default"` key of the `m.room.power_levels` event, defaulting the event default power level to zero in all cases. Power levels are the matrix terminology for user access level. In rooms where the `"events_default"` power level had been changed, this could result in events either being incorrectly authorised or rejected by Dendrite servers. gomatrixserverlib contains a fix as of commit `723fd49` and Dendrite 0.9.3 has been updated accordingly. Matrix rooms where the `"events_default"` power level has not been changed from the default of zero are not vulnerable. Users are advised to upgrade. There are no known workarounds for this issue.

CVSS Score

5.0

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

LOW

Affected Products

Vendor	Product	Versions
Matrix	Dendrite	<= 0.9.2
Matrix	Gomatrixserverlib	-

Related Weaknesses (CWE)

CWE-863

References

https://github.com/matrix-org/gomatrixserverlib/commit/723fd495dde835d078b9f2074PatchThird Party Advisory
https://github.com/matrix-org/gomatrixserverlib/security/advisories/GHSA-grvv-h2Third Party Advisory
https://matrix.org/docs/guides/moderation/#power-levelsVendor Advisory
https://github.com/matrix-org/gomatrixserverlib/commit/723fd495dde835d078b9f2074PatchThird Party Advisory
https://github.com/matrix-org/gomatrixserverlib/security/advisories/GHSA-grvv-h2Third Party Advisory
https://matrix.org/docs/guides/moderation/#power-levelsVendor Advisory

FAQ

What is CVE-2022-36009?

CVE-2022-36009 is a vulnerability with a CVSS score of 5.0 (MEDIUM). gomatrixserverlib is a Go library for matrix protocol federation. Dendrite is a Matrix homeserver written in Go, an alternative to Synapse. The power level parsing within gomatrixserverlib was failing...

How severe is CVE-2022-36009?

CVE-2022-36009 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-36009?

Check the references section above for vendor advisories and patch information. Affected products include: Matrix Dendrite, Matrix Gomatrixserverlib.