Dkasak

**Name of the Vulnerable Software and Affected Versions** Synapse versions prior to 1.138.3 Synapse version 1.139.0 **Description** Synapse is an open source Matrix homeserver implementation. Insufficient validation of device keys in affected versions allows an attacker registered on the victim homeserver to disrupt federation functionality, potentially breaking outbound federation to other homeservers. **Recommendations** Upgrade to Synapse version 1.138.4 or later. Upgrade to Synapse version 1.139.2 or later.

Name of the Vulnerable Software and Affected Versions: matrix-js-sdk versions 9.11.0 through 34.7.0 Description: The issue is related to the `MatrixClient.sendSharedHistoryKeys` method in the matrix-js-sdk, which is vulnerable to interception by malicious homeservers. This method is used to share historical message keys with newly invited users, granting them access to past messages in the room. However, it unconditionally sends these "shared" keys to all of the invited user's devices, regardless of whether the user's cryptographic identity is verified or whether the user's devices are signed by that identity. This allows an attacker to potentially inject its own devices to receive sensitive historical keys without proper security checks. The vulnerability only affects clients running the SDK with the legacy crypto stack. Recommendations: For matrix-js-sdk versions 9.11.0 through 34.7.0, update to version 34.8.0, which removes the vulnerable functionality. As a temporary workaround, consider removing the use of the affected `MatrixClient.sendSharedHistoryKeys` method from clients. Restrict access to the `MatrixClient.sendSharedHistoryKeys` method to minimize the risk of exploitation, especially in environments where the legacy crypto stack is used.

**Name of the Vulnerable Software and Affected Versions** matrix-sdk-crypto versions prior to 0.7.2 **Description** The `UserIdentity::is verified()` method in the matrix-sdk-crypto crate does not take into account the verification status of the user's own identity while performing the check, potentially returning a value contrary to what is implied by its name and documentation. If this method is used to decide whether to perform sensitive operations towards a user identity, a malicious homeserver could manipulate the outcome to make the identity appear trusted. However, this is not a typical usage of the method, which lowers the impact. The method itself is not used inside the matrix-sdk-crypto crate. **Recommendations** For versions prior to 0.7.2, upgrade to version 0.7.2 or later to resolve the issue. As a temporary workaround, consider avoiding the use of the `UserIdentity::is verified()` method to decide whether to perform sensitive operations towards a user identity until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: matrix-react-sdk versions 3.18.0 through 3.101.9 Description: The issue is related to insufficient protection of service data, allowing a malicious homeserver to potentially steal message keys for a room when a user invites another user to that room. This is possible because matrix-react-sdk before version 3.102.0 shared historical message keys on invite. Recommendations: For versions 3.18.0 through 3.101.9, update to version 3.102.0 to prevent the potential theft of message keys by a malicious homeserver during room invites. As a temporary workaround, consider disabling the sharing of message keys on invite until a patch is available. Restrict access to the vulnerable functionality to minimize the risk of exploitation. Avoid using the vulnerable version of matrix-react-sdk until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** vodozemac versions 0.5.0 through 0.5.1 **Description** The issue is related to degraded secret zeroization capabilities in vodozemac, due to changes in third-party cryptographic dependencies, specifically the Dalek crates. This could result in the production of more memory copies of encryption secrets and secrets lingering in memory longer than necessary, marginally increasing the risk of sensitive data exposure. The impact of this issue is considered low, as the inherent limitations of Rust regarding absolute zeroization reduce the practical severity of this lapse. **Recommendations** For versions 0.5.0 and 0.5.1, upgrade to version 0.6.0 to address the issue. At the moment, there are no known workarounds for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** matrix-react-sdk versions prior to 3.53.0 **Description** Events sent with special strings in key places can temporarily disrupt or impede the matrix-react-sdk from functioning properly, such as by causing room or event tile crashes. The remainder of the application can appear functional, though certain rooms/events will not be rendered. **Recommendations** For versions prior to 3.53.0, upgrade to matrix-react-sdk 3.53.0 to resolve the issue. As there are no known workarounds for this issue, upgrading to the fixed version is the recommended course of action.

**Name of the Vulnerable Software and Affected Versions** nheko versions prior to 0.10.2 **Description** nheko is a desktop client for the Matrix communication application. The issue allows homeservers to insert malicious secrets, which could lead to man-in-the-middle attacks. **Recommendations** For versions prior to 0.10.2, upgrade to version 0.10.2 to protect against this issue. As a temporary workaround, consider applying the patch manually. Avoid doing verifications of one's own devices until the issue is resolved. Restrict access to the request button in the settings menu to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** matrix-js-sdk versions prior to 19.4.0 **Description** The issue is related to errors in handling input data, which can allow a remote attacker to perform a denial-of-service (DoS) attack. Events sent with special strings in key places can temporarily disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer's ability to process data safely. The matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer. **Recommendations** For versions prior to 19.4.0, upgrade to version 19.4.0 to fix the issue. For users unable to upgrade, redacting applicable events, waiting for the sync processor to store data, and restarting the client can often fix the issue. Alternatively, redacting the applicable events and clearing all storage will often fix most perceived issues. In some cases, no workarounds are possible.

**Name of the Vulnerable Software and Affected Versions** matrix-appservice-irc versions prior to 0.33.2 **Description** The issue allows an attacker to manipulate a Matrix user into executing IRC commands by having them reply to a maliciously crafted message. This is due to a vulnerability in the node-irc component of the matrix-appservice-irc software. Users should refrain from replying to messages from untrusted participants in IRC-bridged Matrix rooms to minimize the risk. **Recommendations** For versions prior to 0.33.2, update to version 0.33.2 to resolve the issue. As a temporary workaround, consider refraining from replying to messages from untrusted participants in IRC-bridged Matrix rooms until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Matrix Synapse versions prior to 1.21.0 **Description** The issue is due to unsafe interpolation of the `session` GET parameter in the AuthRestServlet, allowing a remote attacker to execute a cross-site scripting (XSS) attack. This can be done by supplying a victim user with a malicious URL to the "/ matrix/client/r0/auth/*/fallback/web" or "/ matrix/client/unstable/auth/*/fallback/web" Synapse endpoints. The impact depends on the configuration of the domain that Synapse is deployed on, but may allow access to cookies and other browser data, CSRF vulnerabilities, and access to other resources served on the same domain or parent domains. **Recommendations** For Matrix Synapse versions prior to 1.21.0, update to version 1.21.0 or later to fix the issue. As a temporary workaround, consider blocking the affected endpoints at a reverse proxy: * "/ matrix/client/r0/auth/.*/fallback/web" * "/ matrix/client/unstable/auth/.*/fallback/web" This workaround is applicable if the homeserver is not configured to use reCAPTCHA, consent (terms of service), or single sign-on.