CVE-2022-39335

Name of the Vulnerable Software and Affected Versions Synapse versions up to and including 1.68.0

Description The Matrix Federation API in Synapse allows remote homeservers to request authorization events in a room, which is necessary for validating the legitimacy and permission of events. However, in affected versions, a Synapse homeserver does not sufficiently check if the requesting server should be able to access these events. This issue can be exploited when a malicious actor knows the ID of a target room and the ID of an event from that room. The issue is of negligible consequence for public rooms and deployments in a closed federation where all homeservers are trustworthy.

Recommendations For Synapse versions up to and including 1.68.0, upgrade to Synapse 1.69.0 to resolve the issue. As a temporary workaround, consider configuring Synapse with a list of trusted servers using the federation domain whitelist to restrict access, but this is not practical for homeservers participating in open federation.