CVE-2022-39374

Name of the Vulnerable Software and Affected Versions Synapse versions prior to 1.68.0

Description The issue occurs when Synapse and a malicious homeserver are both joined to the same room. The malicious homeserver can trick Synapse into accepting previously rejected events into its view of the current state of that room. This can be exploited in a way that causes all further messages and state changes sent in that room from the vulnerable homeserver to be rejected. Synapse homeservers are affected if they are joined to rooms with members of untrusted homeservers.

Recommendations For Synapse versions prior to 1.68.0, upgrade to version 1.68.0 or higher to resolve the issue. As a temporary workaround, consider disabling federation by setting federation domain whitelist to an empty list ([]). This can help minimize the risk of exploitation until a patch is applied.