Erikjohnston

**Name of the Vulnerable Software and Affected Versions** Synapse versions prior to 1.95.1 and 1.96.0rc1 **Description** Synapse is an open-source Matrix homeserver. Prior to versions 1.95.1 and 1.96.0rc1, cached device information of remote users can be queried from Synapse. This can be used to enumerate the remote users known to a homeserver. **Recommendations** To resolve the issue, upgrade to Synapse 1.95.1 or 1.96.0rc1 to receive a patch. As a temporary workaround, the `federation domain whitelist` can be used to limit federation traffic with a homeserver.

**Name of the Vulnerable Software and Affected Versions** Matrix Synapse versions prior to 1.23.1 **Description** A malicious or poorly-implemented homeserver can inject malformed events into a room by specifying a different room id in the path of API endpoints such as `/send join`, `/send leave`, `/invite`, or `/exchange third party invite`. This can lead to a denial of service in which future events will not be correctly sent to other servers over federation. The issue affects any server that accepts federation requests from untrusted servers. **Recommendations** For versions prior to 1.23.1, update to version 1.23.1 to resolve the issue. As a temporary workaround, homeserver administrators could limit access to the federation API to trusted servers, for example via `federation domain whitelist`.