CVE-2022-31152

 

Published at: - 02-09-2022 10:15

Last modified: - 09-09-2022 05:21

Total changes: - 3

Description

Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. The Matrix specification specifies a list of [event authorization rules](https://spec.matrix.org/v1.2/rooms/v9/#authorization-rules) which must be checked when determining if an event should be accepted into a room. In versions of Synapse up to and including version 1.61.0, some of these rules are not correctly applied. An attacker could craft events which would be accepted by Synapse but not a spec-conformant server, potentially causing divergence in the room state between servers. Administrators of homeservers with federation enabled are advised to upgrade to version 1.62.0 or higher. Federation can be disabled by setting [`federation_domain_whitelist`](https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#federation_domain_whitelist) to an empty list (`[]`) as a workaround.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

 

Verification logic

 

Reference

• https://github.com/matrix-org/synapse/pull/13087
• https://github.com/matrix-org/synapse/pull/13088
• https://github.com/matrix-org/synapse/releases/tag/v1.62.0
• https://github.com/matrix-org/synapse/security/advisories/GHSA-jhjh-776m-4765

 

Keywords

NVD

 

CVE-2022-31152

 

CVE

 

Common vulnerabilities & exposures

 

CVSS

 

Common vulnerability scoring system

 

Security

 

Vulnerabilities

 

Exposures