Lucene search

K
cve[email protected]CVE-2022-39374
HistoryMay 26, 2023 - 2:15 p.m.

CVE-2022-39374

2023-05-2614:15:10
CWE-400
web.nvd.nist.gov
28
synapse
open-source
matrix homeserver
cve-2022-39374
patch
version 1.68.0

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

6.1 Medium

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

51.7%

Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. If Synapse and a malicious homeserver are both joined to the same room, the malicious homeserver can trick Synapse into accepting previously rejected events into its view of the current state of that room. This can be exploited in a way that causes all further messages and state changes sent in that room from the vulnerable homeserver to be rejected. This issue has been patched in version 1.68.0

Affected configurations

Vulners
NVD
Node
matrix-orgsynapseRange1.62.01.68.0
CPENameOperatorVersion
matrix:synapsematrix synapselt1.68.0

CNA Affected

[
  {
    "vendor": "matrix-org",
    "product": "synapse",
    "versions": [
      {
        "version": ">= 1.62.0, < 1.68.0",
        "status": "affected"
      }
    ]
  }
]

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

6.1 Medium

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

51.7%