Vulnerability Description
Dendrite is a Matrix homeserver written in Go. In affected versions events retrieved from a remote homeserver using the `/get_missing_events` path did not have their signatures verified correctly. This could potentially allow a remote homeserver to provide invalid/modified events to Dendrite via this endpoint. Note that this does not apply to events retrieved through other endpoints (e.g. `/event`, `/state`) as they have been correctly verified. Homeservers that have federation disabled are not vulnerable. The problem has been fixed in Dendrite 0.9.8. Users are advised to upgrade. There are no known workarounds for this issue.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Matrix | Dendrite | < 0.9.8 |
Related Weaknesses (CWE)
References
- https://github.com/matrix-org/dendrite/commit/2792d0490f3771488bad346981b8c26479PatchThird Party Advisory
- https://github.com/matrix-org/dendrite/security/advisories/GHSA-pfw4-xjgm-267cThird Party Advisory
- https://github.com/matrix-org/dendrite/commit/2792d0490f3771488bad346981b8c26479PatchThird Party Advisory
- https://github.com/matrix-org/dendrite/security/advisories/GHSA-pfw4-xjgm-267cThird Party Advisory
FAQ
What is CVE-2022-39200?
CVE-2022-39200 is a vulnerability with a CVSS score of 7.3 (HIGH). Dendrite is a Matrix homeserver written in Go. In affected versions events retrieved from a remote homeserver using the `/get_missing_events` path did not have their signatures verified correctly. Thi...
How severe is CVE-2022-39200?
CVE-2022-39200 has been rated HIGH with a CVSS base score of 7.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-39200?
Check the references section above for vendor advisories and patch information. Affected products include: Matrix Dendrite.