PT-2018-11098 · Matrix+3 · Matrix Synapse+3

Neilisfragile

Published

2018-06-13

Updated

2024-06-15

CVE-2018-12291

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Matrix Synapse versions prior to 0.31.1

Description The issue concerns a security bug in the get missing events federation API, specifically in the on get missing events function, where event visibility rules were not applied correctly.

Recommendations For versions prior to 0.31.1, update to version 0.31.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the on get missing events function in handlers/federation.py until a patch is available.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

ALT-PU-2018-1973

CVE-2018-12291

GHSA-V8WM-G9F2-XJV4

OPENSUSE-SU-2018_1767-1

OPENSUSE-SU-2024:11041-1

USN-6076-1

Affected Products

Alt Linux

Matrix Synapse

Suse

Ubuntu

PT-2018-11098 · Matrix+3 · Matrix Synapse+3

CVE-2018-12291

Related Identifiers

Affected Products

References · 32