PT-2019-17843 · Matrix+2 · Matrix Synapse+2

Neil Johnson

Published

2019-02-07

Updated

2024-06-15

CVE-2019-5885

CVSS v4.0

8.7

High

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Matrix Synapse versions prior to 0.34.0.1

Description The issue allows remote attackers to impersonate users due to the use of a predictable value to derive a secret key and other secrets when the macaroon secret key authentication parameter is not set.

Recommendations For versions prior to 0.34.0.1, update to version 0.34.0.1 or later to resolve the issue. As a temporary workaround, consider setting the macaroon secret key authentication parameter to a unique and unpredictable value to minimize the risk of exploitation.

Fix

Use of Insufficiently Random Values

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-330

Related Identifiers

ALT-PU-2019-1189

CVE-2019-5885

GHSA-JRQM-V8CV-53WW

OPENSUSE-SU-2024:11041-1

PYSEC-2019-187

USN-6076-1

Affected Products

Alt Linux

Matrix Synapse

Ubuntu

PT-2019-17843 · Matrix+2 · Matrix Synapse+2

CVE-2019-5885

Weakness Enumeration

Related Identifiers

Affected Products

References · 51