CVE-2022-36009

Name of the Vulnerable Software and Affected Versions Dendrite versions prior to 0.9.3 gomatrixserverlib versions prior to commit 723fd49

Description The power level parsing within gomatrixserverlib was failing to parse the "events default" key of the m.room.power levels event, defaulting the event default power level to zero in all cases. Power levels are the matrix terminology for user access level. In rooms where the "events default" power level had been changed, this could result in events either being incorrectly authorised or rejected by Dendrite servers.

Recommendations For Dendrite versions prior to 0.9.3, upgrade to Dendrite 0.9.3 or later. For gomatrixserverlib versions prior to commit 723fd49, update gomatrixserverlib to a version that includes the fix, at least commit 723fd49. As a temporary workaround, consider avoiding changes to the "events default" power level in matrix rooms until the issue is resolved.