GitHub Advisory DatabaseGHSA-JHJH-776M-4765Denial of service due to incorrect application of event authorization rules
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
47.9%
Impact
The Matrix specification specifies a list of event authorization rules which must be checked when determining if an event should be accepted into a room.
In versions of Synapse up to and including v1.61, some of these rules are not correctly applied. An attacker could craft events which would be accepted by Synapse but not a spec-conformant server, potentially causing divergence in the room state between servers.
Patches
Administrators of homeservers with federation enabled are advised to upgrade to v1.62.0 or higher.
Workarounds
- Federation can be disabled by setting
federation_domain_whitelistto an empty list ([]).
References
For more information
If you have any questions or comments about this advisory, e-mail us at [email protected].
Affected configurations
References
github.com/advisories/GHSA-jhjh-776m-4765
github.com/matrix-org/synapse/commit/d4b1c0d800eaa83c4d56a9cf17881ad362b9194b
github.com/matrix-org/synapse/commit/e16ea87d0f8c4c30cad36f85488eb1f647e640b0
github.com/matrix-org/synapse/pull/13087
github.com/matrix-org/synapse/pull/13088
github.com/matrix-org/synapse/releases/tag/v1.62.0
github.com/matrix-org/synapse/security/advisories/GHSA-jhjh-776m-4765
github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2022-262.yaml
nvd.nist.gov/vuln/detail/CVE-2022-31152
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
47.9%