CVE-2023-32682

Name of the Vulnerable Software and Affected Versions Synapse versions prior to 1.85.0

Description The issue allows a deactivated user to login under certain uncommon configurations. This can happen if JSON Web Tokens are enabled for login via the jwt config.enabled configuration setting, or if the local password database is enabled and a user's password is updated via an admin API after deactivation. Installations using Single Sign-On (SSO) or external password providers are not affected.

Recommendations For versions prior to 1.85.0, upgrade to version 1.85.0 to address the issue. As a temporary workaround, ensure that deactivated users do not have a password set, especially if not using JSON Web Tokens. To identify affected users, query the PostgreSQL database using the SQL command: SELECT name FROM users WHERE password hash IS NOT NULL AND deactivated = 1;