CVE-2022-39200

Name of the Vulnerable Software and Affected Versions Dendrite versions prior to 0.9.8

Description The issue concerns events retrieved from a remote homeserver using the "/get missing events" path, where signatures were not verified correctly. This could allow a remote homeserver to provide invalid or modified events to Dendrite via this endpoint. Events retrieved through other endpoints, such as "/event" and "/state", have been correctly verified. Homeservers with federation disabled are not vulnerable.

Recommendations For Dendrite versions prior to 0.9.8, upgrade to Dendrite 0.9.8 to resolve the issue. As a temporary workaround, consider disabling federation to minimize the risk of exploitation. Note that there are no other known workarounds for this issue.