CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
47.9%
Synapse is an open-source Matrix homeserver written and maintained by the
Matrix.org Foundation. The Matrix specification specifies a list of event
authorization
rules which
must be checked when determining if an event should be accepted into a
room. In versions of Synapse up to and including version 1.61.0, some of
these rules are not correctly applied. An attacker could craft events which
would be accepted by Synapse but not a spec-conformant server, potentially
causing divergence in the room state between servers. Administrators of
homeservers with federation enabled are advised to upgrade to version
1.62.0 or higher. Federation can be disabled by setting
federation_domain_whitelist
to an empty list ([]
) as a workaround.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | matrix-synapse | < any | UNKNOWN |
ubuntu | 20.04 | noarch | matrix-synapse | < any | UNKNOWN |
ubuntu | 22.04 | noarch | matrix-synapse | < any | UNKNOWN |
github.com/matrix-org/synapse/pull/13087
github.com/matrix-org/synapse/pull/13088
github.com/matrix-org/synapse/releases/tag/v1.62.0
github.com/matrix-org/synapse/security/advisories/GHSA-jhjh-776m-4765
launchpad.net/bugs/cve/CVE-2022-31152
nvd.nist.gov/vuln/detail/CVE-2022-31152
security-tracker.debian.org/tracker/CVE-2022-31152
www.cve.org/CVERecord?id=CVE-2022-31152