CVE-2022-39374

NameCVE-2022-39374
DescriptionSynapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. If Synapse and a malicious homeserver are both joined to the same room, the malicious homeserver can trick Synapse into accepting previously rejected events into its view of the current state of that room. This can be exploited in a way that causes all further messages and state changes sent in that room from the vulnerable homeserver to be rejected. This issue has been patched in version 1.68.0
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
matrix-synapse (PTS)trixie1.100.0-1fixed
sid1.103.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
matrix-synapsesource(unstable)1.68.0-1

Notes

https://matrix.org/blog/2023/05/24/disclosing-synapse-security-advisories/
https://github.com/matrix-org/synapse/security/advisories/GHSA-p9qp-c452-f9r7
https://bugzilla.redhat.com/show_bug.cgi?id=2209956
Search for package or bug name: Reporting problems