CVE-2023-41335

CVSS v3.1

3.7

Low

Vector

AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Synapse versions prior to 1.93.0

Description The issue concerns the temporary storage of user passwords in the server database when users update their credentials. Although this does not grant the server any additional capabilities, it disrupts the expectation that passwords will not be stored in the database. As a result, these passwords could be inadvertently captured in database backups for a longer duration. The temporarily stored passwords are automatically erased after a 48-hour window.

Recommendations For versions prior to 1.93.0, upgrade to version 1.93.0 to address the issue. There are no known workarounds for this issue.

Exploit

Fix

Cleartext Storage of Sensitive Information

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-312

Related Identifiers

ALT-PU-2024-3315

CVE-2023-41335

GHSA-4F74-84V3-J9Q5

OPENSUSE-SU-2024:13270-1

PYSEC-2023-185

USN-7444-1

Affected Products

Alt Linux

Linuxmint

Synapse

Ubuntu

CVE-2023-41335

Weakness Enumeration

Related Identifiers

Affected Products

References · 36