CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS
Percentile
50.2%
Matrix developers report:
This release patches one high severity issue affecting
Synapse installations 1.47.0 and earlier using the media repository.
An attacker could cause these Synapses to download a remote file
and store it in a directory outside the media repository.
Note that:
This only affects homeservers using Synapse’s built-in media
repository, as opposed to synapse-s3-storage-provider or
matrix-media-repo.
Attackers cannot control the exact name or destination of the
stored file.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
FreeBSD | any | noarch | py36-matrix-synapse | < 1.47.1 | UNKNOWN |
FreeBSD | any | noarch | py37-matrix-synapse | < 1.47.1 | UNKNOWN |
FreeBSD | any | noarch | py38-matrix-synapse | < 1.47.1 | UNKNOWN |
FreeBSD | any | noarch | py39-matrix-synapse | < 1.47.1 | UNKNOWN |
FreeBSD | any | noarch | py310-matrix-synapse | < 1.47.1 | UNKNOWN |
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS
Percentile
50.2%