CVE-2019-18835
First published: Fri Nov 08 2019(Updated: )
Matrix Synapse before 1.5.0 mishandles signature checking on some federation APIs. Events sent over `/send_join`, `/send_leave`, and `/invite` may not be correctly signed, or may not come from the expected servers.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| pip/matrix-synapse | <1.5.0 | 1.5.0 |
| Matrix Synapse | <1.5.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2019-18835?
CVE-2019-18835 is a vulnerability in Matrix Synapse before version 1.5.0 that mishandles signature checking on some federation APIs.
What is the severity of CVE-2019-18835?
CVE-2019-18835 has a severity rating of 9.8 out of 10, which is considered critical.
How does CVE-2019-18835 affect Matrix Synapse?
CVE-2019-18835 affects Matrix Synapse versions before 1.5.0 by causing mishandling of signature checking on certain federation APIs.
How can CVE-2019-18835 be fixed?
CVE-2019-18835 can be fixed by updating Matrix Synapse to version 1.5.0 or later.
Are there any references for CVE-2019-18835?
Yes, you can find references for CVE-2019-18835 at the following links: [NVD](https://nvd.nist.gov/vuln/detail/CVE-2019-18835), [GitHub Pull Request](https://github.com/matrix-org/synapse/pull/6262), [GitHub Release](https://github.com/matrix-org/synapse/releases/tag/v1.5.0).
- collector/github-advisory-latest
- alias/GHSA-cppw-2mf8-qpm5
- alias/CVE-2019-18835
- collector/github-advisory
- collector/nvd-index
- collector/nvd-cve
- package-manager/pip
- vendor/matrix
- canonical/matrix synapse