CVE-2023-43796

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Synapse versions prior to 1.95.1 and 1.96.0rc1

Description Synapse is an open-source Matrix homeserver. Prior to versions 1.95.1 and 1.96.0rc1, cached device information of remote users can be queried from Synapse. This can be used to enumerate the remote users known to a homeserver.

Recommendations To resolve the issue, upgrade to Synapse 1.95.1 or 1.96.0rc1 to receive a patch. As a temporary workaround, the federation domain whitelist can be used to limit federation traffic with a homeserver.

Exploit

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

ALT-PU-2024-3315

CVE-2023-43796

GHSA-MP92-3JFM-3575

OPENSUSE-SU-2024:13392-1

PYSEC-2023-230

USN-7444-1

Affected Products

Alt Linux

Linuxmint

Synapse

Ubuntu

CVE-2023-43796

Weakness Enumeration

Related Identifiers

Affected Products

References · 31