← Back

CVE-2022-39374

nvd nist
Published: May 26, 2023Modified: Feb 13, 2025

JSON object

Loading...
6.5
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Exploitability: 2.8 / Impact: 3.6
Source: NVD

Description

Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. If Synapse and a malicious homeserver are both joined to the same room, the malicious homeserver can trick Synapse into accepting previously rejected events into its view of the current state of that room. This can be exploited in a way that causes all further messages and state changes sent in that room from the vulnerable homeserver to be rejected. This issue has been patched in version 1.68.0

Affected (1)

Products: Matrix: Synapse
Matrix
1 product
Synapse
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Synapse
From 1.62.0 to 1.68.0

Related CWEs

CWE-400
Uncontrolled Resource Consumption
The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

References (6)

Source: security-advisories@github.com
Issue TrackingPatch
Source: security-advisories@github.com
MitigationVendor Advisory
Source: security-advisories@github.com
Source: af854a3a-2127-422b-91ae-364da2661108
Issue TrackingPatch
Source: af854a3a-2127-422b-91ae-364da2661108
MitigationVendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.