CVE-2020-26890: Input Validation
First published: Tue Nov 24 2020(Updated: )
### Impact A denial of service attack against Matrix clients can be exploited by sending an event including invalid JSON data to Synapse. Synapse would relay the data to clients which could crash or hang. Impact is long-lasting if the event is made part of the room state. ### Patches At a minimum #8106 and #8291 must be applied. #7372 and #8124 include additional checks. ### Workarounds There are no known workarounds. ### Upgrading notes If an invalid event is accepted by an earlier Synapse it can become part of the room state and will not be fixed by upgrading Synapse. Redacting the invalid event should avoid clients receiving the invalid event.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Matrix Synapse | <1.20.0 | |
| Fedoraproject Fedora | =32 | |
| Fedoraproject Fedora | =33 | |
| pip/matrix-synapse | <1.20.0 | 1.20.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/matrix-org/synapse/security/advisories/GHSA-4mp3-385r-v63f
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G7YXMMYQP46PYL664JQUXCA3LPBJU7DQ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U34DPP4ZLOEDUY2ZCWOHQPU5GA5LYNUQ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U34DPP4ZLOEDUY2ZCWOHQPU5GA5LYNUQ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G7YXMMYQP46PYL664JQUXCA3LPBJU7DQ/
- https://nvd.nist.gov/vuln/detail/CVE-2020-26890
- https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2020-237.yaml
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G7YXMMYQP46PYL664JQUXCA3LPBJU7DQ
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U34DPP4ZLOEDUY2ZCWOHQPU5GA5LYNUQ
- https://pypi.org/project/matrix-synapse
- https://github.com/advisories/GHSA-4mp3-385r-v63f (Advisory)
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is CVE-2020-26890.
What is the severity of CVE-2020-26890?
The severity of CVE-2020-26890 is high, with a severity value of 7.5.
What software is affected by CVE-2020-26890?
Matrix Synapse versions up to 1.20.0, Fedora versions 32 and 33 are affected by CVE-2020-26890.
What is the impact of CVE-2020-26890?
CVE-2020-26890 allows remote attackers to execute a denial of service attack against the federation and common Matrix clients.
How can CVE-2020-26890 be fixed?
To fix CVE-2020-26890, it is recommended to upgrade to Matrix Synapse version 1.20.0 or later.
- collector/nvd-index
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/remedy
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-4mp3-385r-v63f
- alias/CVE-2020-26890
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/severity
- agent/references
- agent/softwarecombine
- agent/event
- agent/description
- collector/nvd-cve
- source/NVD
- agent/author
- collector/github-advisory
- agent/tags
- agent/trending
- vendor/matrix
- canonical/matrix synapse
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/32
- version/fedoraproject fedora/33
- package-manager/pip