PT-2019-17843 · Matrix+2 · Matrix Synapse+2

Neil Johnson

Publicado

2019-02-07

Atualizado

2024-06-15

CVE-2019-5885

CVSS v4.0

8.7

Alta

Vetor

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Matrix Synapse versions prior to 0.34.0.1

Description The issue allows remote attackers to impersonate users due to the use of a predictable value to derive a secret key and other secrets when the macaroon secret key authentication parameter is not set.

Recommendations For versions prior to 0.34.0.1, update to version 0.34.0.1 or later to resolve the issue. As a temporary workaround, consider setting the macaroon secret key authentication parameter to a unique and unpredictable value to minimize the risk of exploitation.

Correção

Use of Insufficiently Random Values

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-330

Identificadores relacionados

ALT-PU-2019-1189

CVE-2019-5885

GHSA-JRQM-V8CV-53WW

OPENSUSE-SU-2024:11041-1

PYSEC-2019-187

USN-6076-1

Produtos afetados

Alt Linux

Matrix Synapse

Ubuntu

PT-2019-17843 · Matrix+2 · Matrix Synapse+2

CVE-2019-5885

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 51