Vulnerability Description
Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. If Synapse and a malicious homeserver are both joined to the same room, the malicious homeserver can trick Synapse into accepting previously rejected events into its view of the current state of that room. This can be exploited in a way that causes all further messages and state changes sent in that room from the vulnerable homeserver to be rejected. This issue has been patched in version 1.68.0
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Matrix | Synapse | >= 1.62.0, < 1.68.0 |
Related Weaknesses (CWE)
References
- https://github.com/matrix-org/synapse/pull/13723Issue TrackingPatch
- https://github.com/matrix-org/synapse/security/advisories/GHSA-p9qp-c452-f9r7MitigationVendor Advisory
- https://lists.fedoraproject.org/archives/list/[email protected]
- https://github.com/matrix-org/synapse/pull/13723Issue TrackingPatch
- https://github.com/matrix-org/synapse/security/advisories/GHSA-p9qp-c452-f9r7MitigationVendor Advisory
- https://lists.fedoraproject.org/archives/list/[email protected]
FAQ
What is CVE-2022-39374?
CVE-2022-39374 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. If Synapse and a malicious homeserver are both joined to the same room, the malicious homeserver can tr...
How severe is CVE-2022-39374?
CVE-2022-39374 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-39374?
Check the references section above for vendor advisories and patch information. Affected products include: Matrix Synapse.