Synapse Security Vulnerabilities and Issues — Synapse CVE List

Lucene search

MatrixSynapse

8 matches found

CVE•added 2020/11/24 3:15 a.m.•113 views

CVE-2020-26890

Matrix Synapse before 1.20.0 erroneously permits non-standard NaN, Infinity, and -Infinity JSON values in fields of m.room.member events, allowing remote attackers to execute a denial of service attack against the federation and common Matrix clients. If such a malformed event is accepted into the ...

7.5CVSS7.4AI score0.00955EPSS

CVE•added 2021/11/23 8:15 p.m.•96 views

CVE-2021-41281

Synapse is a package for Matrix homeservers written in Python 3/Twisted. Prior to version 1.47.1, Synapse instances with the media repository enabled can be tricked into downloading a file from a remote server into an arbitrary directory. No authentication is required for the affected endpoint. The...

7.5CVSS7.6AI score0.00549EPSS

CVE•added 2022/09/02 8:15 p.m.•88 views

CVE-2022-31152

Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. The Matrix specification specifies a list of event authorization rules which must be checked when determining if an event should be accepted into a room. In versions of Synapse up to and including versi...

7.5CVSS6.7AI score0.00149EPSS

CVE•added 2019/05/09 6:29 p.m.•67 views

CVE-2019-11842

An issue was discovered in Matrix Sydent before 1.0.3 and Synapse before 0.99.3.1. Random number generation is mishandled, which makes it easier for attackers to predict a Sydent authentication token or a Synapse random ID.

7.5CVSS7.5AI score0.00535EPSS

CVE•added 2019/03/21 4:1 p.m.•58 views

CVE-2019-5885

Matrix Synapse before 0.34.0.1, when the macaroon_secret_key authentication parameter is not set, uses a predictable value to derive a secret key and other secrets which could allow remote attackers to impersonate users.

7.5CVSS7.5AI score0.008EPSS

CVE•added 2018/05/02 4:29 p.m.•55 views

CVE-2018-10657

Matrix Synapse before 0.28.1 is prone to a denial of service flaw where malicious events injected with depth = 2^63 - 1 render rooms unusable, related to federation/federation_base.py and handlers/message.py, as exploited in the wild in April 2018.

7.5CVSS7.2AI score0.00402EPSS

CVE•added 2018/06/13 2:29 p.m.•44 views

CVE-2018-12291

The on_get_missing_events function in handlers/federation.py in Matrix Synapse before 0.31.1 has a security bug in the get_missing_events federation API where event visibility rules were not applied correctly.

7.5CVSS7.4AI score0.00211EPSS

CVE•added 2018/06/14 9:29 p.m.•43 views

CVE-2018-12423

In Synapse before 0.31.2, unauthorised users can hijack rooms when there is no m.room.power_levels event in force.

7.5CVSS7.4AI score0.00349EPSS