Product:

Synapse

(Matrix)
Repositories https://github.com/matrix-org/synapse
#Vulnerabilities 33
Date Id Summary Products Score Patch Annotated
2018-09-18 CVE-2018-16515 Matrix Synapse before 0.33.3.1 allows remote attackers to spoof events and possibly have unspecified other impacts by leveraging improper transaction and event signature validation. Debian_linux, Synapse 8.8
2019-03-21 CVE-2019-5885 Matrix Synapse before 0.34.0.1, when the macaroon_secret_key authentication parameter is not set, uses a predictable value to derive a secret key and other secrets which could allow remote attackers to impersonate users. Fedora, Synapse 7.5
2019-11-08 CVE-2019-18835 Matrix Synapse before 1.5.0 mishandles signature checking on some federation APIs. Events sent over /send_join, /send_leave, and /invite may not be correctly signed, or may not come from the expected servers. Synapse N/A
2019-05-09 CVE-2019-11842 An issue was discovered in Matrix Sydent before 1.0.3 and Synapse before 0.99.3.1. Random number generation is mishandled, which makes it easier for attackers to predict a Sydent authentication token or a Synapse random ID. Sydent, Synapse 7.5
2018-06-14 CVE-2018-12423 In Synapse before 0.31.2, unauthorised users can hijack rooms when there is no m.room.power_levels event in force. Synapse 7.5
2018-06-13 CVE-2018-12291 The on_get_missing_events function in handlers/federation.py in Matrix Synapse before 0.31.1 has a security bug in the get_missing_events federation API where event visibility rules were not applied correctly. Synapse 7.5
2018-05-02 CVE-2018-10657 Matrix Synapse before 0.28.1 is prone to a denial of service flaw where malicious events injected with depth = 2^63 - 1 render rooms unusable, related to federation/federation_base.py and handlers/message.py, as exploited in the wild in April 2018. Synapse 7.5