CVE-2023-32682

Synapse is a Matrix protocol homeserver written in Python with the Twisted
framework. In affected versions it may be possible for a deactivated user
to login when using uncommon configurations. This only applies if any of
the following are true: 1. JSON Web Tokens are enabled for login via the
jwt_config.enabled configuration setting. 2. The local password database
is enabled via the password_config.enabled and
password_config.localdb_enabled configuration settings and a user’s
password is updated via an admin API after a user is deactivated. Note that
the local password database is enabled by default, but it is uncommon to
set a user’s password after they’ve been deactivated. Installations that
are configured to only allow login via Single Sign-On (SSO) via CAS, SAML
or OpenID Connect (OIDC); or via an external password provider (e.g. LDAP)
are not affected. If not using JSON Web Tokens, ensure that deactivated
users do not have a password set. This issue has been addressed in version
1.85.0. Users are advised to upgrade.