Latest matrix synapse Vulnerabilities

CVE-2023-43796
Synapse vulnerable to leak of remote user device information
pip/matrix-synapse<1.95.1
Matrix Synapse<1.95.1
Fedoraproject Fedora=38
Fedoraproject Fedora=39
<1.95.1
=38
and 1 more
CVE-2023-45129
matrix-synapse vulnerable to denial of service due to malicious server ACL events
pip/matrix-synapse<1.94.0
Matrix Synapse<1.94.0
Fedoraproject Fedora=37
Fedoraproject Fedora=38
<1.94.0
=37
and 1 more
CVE-2023-42453
Improper validation of receipts allows forged read receipts in matrix synapse
pip/matrix-synapse>=0.34.0<1.93.0
>=1.34.0<1.93.0
=37
=38
Matrix Synapse>=1.34.0<1.93.0
Fedoraproject Fedora=37
and 1 more
CVE-2023-41335
Temporary storage of plaintext passwords during password changes in matrix synapse
pip/matrix-synapse>=1.66.0<1.93.0
>=1.66.0<1.93.0
=37
=38
Matrix Synapse>=1.66.0<1.93.0
Fedoraproject Fedora=37
and 1 more
CVE-2023-32683
Synapse is a Matrix protocol homeserver written in Python with the Twisted framework. A discovered oEmbed or image URL can bypass the `url_preview_url_blacklist` setting potentially allowing server si...
Matrix Synapse<1.85.0
pip/matrix-synapse<1.85.0
CVE-2023-32682
Synapse is a Matrix protocol homeserver written in Python with the Twisted framework. In affected versions it may be possible for a deactivated user to login when using uncommon configurations. This o...
Matrix Synapse<1.85.0
pip/matrix-synapse<1.85.0
CVE-2023-32323
### Impact A malicious user on a Synapse homeserver X with permission to create certain state events can disable outbound federation from X to an arbitrary homeserver Y. Synapse instances with feder...
Matrix Synapse<1.74.0
pip/matrix-synapse<1.74.0
CVE-2022-39374
Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. If Synapse and a malicious homeserver are both joined to the same room, the malicious homeserver can tr...
Matrix Synapse>=1.62.0<1.68.0
CVE-2022-39335
Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. The Matrix Federation API allows remote homeservers to request the authorization events in a room. This...
Matrix Synapse<1.69.0
CVE-2022-41952
Synapse before 1.52.0 with URL preview functionality enabled will attempt to generate URL previews for media stream URLs without properly limiting connection time. Connections will only be terminated ...
Matrix Synapse<1.53.0
CVE-2022-31152
Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. The Matrix specification specifies a list of [event authorization rules](https://spec.matrix.org/v1.2/r...
Matrix Synapse<1.62.0
CVE-2022-31052
Synapse is an open source home server implementation for the Matrix chat network. In versions prior to 1.61.1 URL previews of some web pages can exhaust the available stack space for the Synapse proce...
Matrix Synapse<1.61.1
Fedoraproject Fedora=35
Fedoraproject Fedora=36
CVE-2021-41281
Synapse is a package for Matrix homeservers written in Python 3/Twisted. Prior to version 1.47.1, Synapse instances with the media repository enabled can be tricked into downloading a file from a remo...
Matrix Synapse<1.47.1
Fedoraproject Fedora=34
Fedoraproject Fedora=35
CVE-2021-39164
Matrix is an ecosystem for open federated Instant Messaging and Voice over IP. In versions 1.41.0 and prior, unauthorised users can access the membership (list of members, with their display names) of...
Matrix Synapse<1.41.1
Fedoraproject Fedora=34
Fedoraproject Fedora=35
CVE-2021-39163
Matrix is an ecosystem for open federated Instant Messaging and Voice over IP. In versions 1.41.0 and prior, unauthorised users can access the name, avatar, topic and number of members of a room if th...
Matrix Synapse<1.41.1
Fedoraproject Fedora=34
Fedoraproject Fedora=35
CVE-2021-29471
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.33.2 "Push r...
Matrix Synapse<1.33.2
Fedoraproject Fedora=34
CVE-2021-21392
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 request...
Matrix Synapse<1.28.0
Fedoraproject Fedora=34
CVE-2021-21393
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse...
Matrix Synapse>0.24.0<1.28.0
Fedoraproject Fedora=34
CVE-2021-21394
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse...
Matrix Synapse>0.17.0<1.28.0
Fedoraproject Fedora=34
CVE-2021-21333
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.27.0, the no...
Matrix Synapse<1.27.0
Fedoraproject Fedora=34
CVE-2021-21332
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.27.0, the pa...
Matrix Synapse<1.27.0
Fedoraproject Fedora=34
CVE-2021-21274
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.25.0, a mali...
Matrix Synapse>=0.99.0<1.25.0
Fedoraproject Fedora=34
CVE-2021-21273
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.25.0, reques...
Matrix Synapse<1.25.0
Fedoraproject Fedora=34
CVE-2020-26257
Matrix is an ecosystem for open federated Instant Messaging and VoIP. Synapse is a reference "homeserver" implementation of Matrix. A malicious or poorly-implemented homeserver can inject malformed ev...
Matrix Synapse<1.23.1
Fedoraproject Fedora=32
Fedoraproject Fedora=33
CVE-2020-26890
Matrix Synapse before 1.20.0 erroneously permits non-standard NaN, Infinity, and -Infinity JSON values in fields of m.room.member events, allowing remote attackers to execute a denial of service attac...
Matrix Synapse<1.20.0
Fedoraproject Fedora=32
Fedoraproject Fedora=33
CVE-2020-26891
AuthRestServlet in Matrix Synapse before 1.21.0 is vulnerable to XSS due to unsafe interpolation of the session GET parameter. This allows a remote attacker to execute an XSS attack on the domain Syna...
Matrix Synapse<1.21.0
CVE-2019-18835
Matrix Synapse before 1.5.0 mishandles signature checking on some federation APIs. Events sent over `/send_join`, `/send_leave`, and `/invite` may not be correctly signed, or may not come from the exp...
pip/matrix-synapse<1.5.0
Matrix Synapse<1.5.0
CVE-2019-11842
An issue was discovered in Matrix Sydent before 1.0.3 and Synapse before 0.99.3.1. Random number generation is mishandled, which makes it easier for attackers to predict a Sydent authentication token ...
Matrix Sydent<1.0.3
Matrix Synapse<0.99.3.1
CVE-2019-5885
Matrix Synapse before 0.34.0.1, when the `macaroon_secret_key` authentication parameter is not set, uses a predictable value to derive a secret key and other secrets which could allow remote attackers...
pip/matrix-synapse<0.34.0.1
Matrix Synapse<0.34.0.1
Fedoraproject Fedora=28
Fedoraproject Fedora=29
CVE-2018-16515
Matrix Synapse before 0.33.3.1 and 0.33.2.1 allows remote attackers to spoof events and possibly have unspecified other impacts by leveraging improper transaction and event signature validation.
pip/matrix-synapse<0.33.2.1
pip/matrix-synapse>=0.33.3<0.33.3.1
Matrix Synapse<0.33.3.1
Debian Debian Linux=8.0
CVE-2018-12423
In Synapse before 0.31.2, unauthorised users can hijack rooms when there is no `m.room.power_levels` event in force.
Matrix Synapse<0.31.2
CVE-2018-12291
The on_get_missing_events function in handlers/federation.py in Matrix Synapse before 0.31.1 has a security bug in the get_missing_events federation API where event visibility rules were not applied c...
Matrix Synapse<0.31.1

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203