CVE-2023-43796: Synapse vulnerable to leak of remote user device information
First published: Tue Oct 31 2023(Updated: )
### Impact Cached device information of remote users can be queried from Synapse. This can be used to enumerate the remote users known to a homeserver. ### Patches System administrators are encouraged to upgrade to Synapse 1.95.1 as soon as possible. ### Workarounds The `federation_domain_whitelist` can be used to limit federation traffic with a homeserver.
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| pip/matrix-synapse | <1.95.1 | 1.95.1 |
| Matrix Synapse | <1.95.1 | |
| Fedoraproject Fedora | =38 | |
| Fedoraproject Fedora | =39 | |
| <1.95.1 | ||
| =38 | ||
| =39 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/matrix-org/synapse/security/advisories/GHSA-mp92-3jfm-3575
- https://nvd.nist.gov/vuln/detail/CVE-2023-43796
- https://github.com/matrix-org/synapse/commit/daec55e1fe120c564240c5386e77941372bf458f
- https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2023-230.yaml
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2IDEEZMFJBDLTFHQUTZRJJNCOZGQ2ZVS/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VH3RNC5ZPQZ4OKPSL4E6BBJSZOQLGDEY/
- https://security.gentoo.org/glsa/202401-12
- https://github.com/advisories/GHSA-mp92-3jfm-3575 (Advisory)
Frequently Asked Questions
What is the vulnerability ID for this Synapse vulnerability?
The vulnerability ID for this Synapse vulnerability is CVE-2023-43796.
What is the title of this Synapse vulnerability?
The title of this Synapse vulnerability is 'Synapse vulnerable to leak of remote user device information'.
What is the severity of CVE-2023-43796?
The severity of CVE-2023-43796 is medium with a CVSS v3.1 score of 5.3.
How can an attacker exploit this vulnerability?
An attacker can exploit this vulnerability by querying the cached device information of remote users from Synapse to enumerate the remote users known to a homeserver.
How can system administrators fix this vulnerability?
System administrators should upgrade to Synapse 1.95.1 or 1.96.0 to fix this vulnerability.
- collector/github-advisory-latest
- alias/GHSA-mp92-3jfm-3575
- alias/CVE-2023-43796
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/author
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/title
- agent/remedy
- agent/weakness
- agent/severity
- agent/softwarecombine
- agent/tags
- collector/nvd-cve
- collector/github-advisory
- source/GitHub
- agent/event
- agent/description
- agent/trending
- package-manager/pip
- vendor/matrix
- canonical/matrix synapse
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/38
- version/fedoraproject fedora/39