PT-2022-20567 · Synapse+1 · Synapse+1

Richvdh

Published

2022-08-31

Updated

2023-08-05

CVE-2022-31152

CVSS v4.0

8.7

High

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Synapse versions up to and including 1.61.0

Description The issue arises from the incorrect application of event authorization rules as specified in the Matrix specification, potentially causing divergence in room state between servers. An attacker could craft events that would be accepted by Synapse but not by a spec-conformant server.

Recommendations For Synapse versions up to and including 1.61.0, upgrade to version 1.62.0 or higher. As a temporary workaround, consider disabling federation by setting federation domain whitelist to an empty list ([]).

Exploit

Fix

Improper Handling of Exceptional Conditions

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-755CWE-703

Related Identifiers

ALT-PU-2023-4748

CVE-2022-31152

GHSA-JHJH-776M-4765

PYSEC-2022-262

Affected Products

Alt Linux

Synapse

PT-2022-20567 · Synapse+1 · Synapse+1

CVE-2022-31152

Weakness Enumeration

Related Identifiers

Affected Products

References · 18