Lucene search

FreeBSDD658042C-1C98-11ED-95F8-901B0E9408DC

HistoryAug 15, 2022 - 12:00 a.m.

dendrite -- Incorrect parsing of the event default power level in event auth

2022-08-1500:00:00

vuxml.freebsd.org

dendrite

parsing error

event auth

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.002

Percentile

60.7%

JSON

Dendrite team reports:

The power level parsing within gomatrixserverlib was failing to parse the “events_default”
key of the m.room.power_levels event, defaulting the event default power level to zero in all cases.
In rooms where the “events_default” power level had been changed, this could result in
events either being incorrectly authorised or rejected by Dendrite servers.

OSVersionArchitecturePackageVersionFilename
FreeBSDanynoarchdendrite< 0.9.3UNKNOWN

OS	Version	Architecture	Package	Version	Filename
FreeBSD	any	noarch	dendrite	< 0.9.3	UNKNOWN

References

github.com/matrix-org/gomatrixserverlib/security/advisories/GHSA-grvv-h2f9-7v9c

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.002

Percentile

60.7%

JSON

Related for D658042C-1C98-11ED-95F8-901B0E9408DC