What is CVE-2022-39335?

CVE-2022-39335 is a vulnerability in the Matrix Synapse server that allows remote homeservers to request unauthorized events in a room.

What is the impact of CVE-2022-39335?

The impact of CVE-2022-39335 is that it allows attackers to obtain unauthorized information by requesting the authorization events of events in a room.

How severe is CVE-2022-39335?

CVE-2022-39335 has a severity rating of medium.

Which software versions are affected by CVE-2022-39335?

Versions up to and excluding 1.69.0 of the Matrix Synapse server are affected by CVE-2022-39335.

How can I fix CVE-2022-39335?

To fix CVE-2022-39335, upgrade to version 1.69.0 or later of the Matrix Synapse server.

Vulnerability/
CVE-2022-39335

medium

CWE

200 862

24/5/2023

26/5/2023

11/6/2023

CVE-2022-39335: Infoleak

First published: Wed May 24 2023(Updated: )

Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. The Matrix Federation API allows remote homeservers to request the authorization events in a room. This is necessary so that a homeserver receiving some events can validate that those events are legitimate and permitted in their room. However, in versions of Synapse up to and including 1.68.0, a Synapse homeserver answering a query for authorization events does not sufficiently check that the requesting server should be able to access them. The issue was patched in Synapse 1.69.0. Homeserver administrators are advised to upgrade.

Credit: security-advisories@github.com security-advisories@github.com

Affected Software	Affected Version	How to fix
Matrix Synapse	<1.69.0

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2022-39335?
CVE-2022-39335 is a vulnerability in the Matrix Synapse server that allows remote homeservers to request unauthorized events in a room.
What is the impact of CVE-2022-39335?
The impact of CVE-2022-39335 is that it allows attackers to obtain unauthorized information by requesting the authorization events of events in a room.
How severe is CVE-2022-39335?
CVE-2022-39335 has a severity rating of medium.
Which software versions are affected by CVE-2022-39335?
Versions up to and excluding 1.69.0 of the Matrix Synapse server are affected by CVE-2022-39335.
How can I fix CVE-2022-39335?
To fix CVE-2022-39335, upgrade to version 1.69.0 or later of the Matrix Synapse server.

collector/github-advisory
alias/GHSA-45cj-f97f-ggwv
alias/CVE-2022-39335
collector/github-advisory-latest
collector/nvd-latest
vendor/matrix
vendor/synapse
collector/nvd-cve
collector/nvd-index
agent/author
agent/description
agent/event
agent/first-publish-date
agent/last-modified-date
agent/references
agent/remedy
agent/severity
agent/softwarecombine
agent/tags
agent/type
agent/weakness
package-manager/pip
canonical/matrix synapse

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.