PyPI package
matrix-synapse
pkg:pypi/matrix-synapse
Vulnerabilities (44)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2022-41952 | — | < 1.53.0 | 1.53.0 | Nov 22, 2022 | Synapse before 1.52.0 with URL preview functionality enabled will attempt to generate URL previews for media stream URLs without properly limiting connection time. Connections will only be terminated after `max_spider_size` (default: 10M) bytes have been downloaded, which can in | ||
| CVE-2022-31152 | — | < 1.62.0rc1 | 1.62.0rc1 | Sep 2, 2022 | Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. The Matrix specification specifies a list of [event authorization rules](https://spec.matrix.org/v1.2/rooms/v9/#authorization-rules) which must be checked when determining if an event | ||
| CVE-2022-31052 | — | < 1.61.1 | 1.61.1 | Jun 28, 2022 | Synapse is an open source home server implementation for the Matrix chat network. In versions prior to 1.61.1 URL previews of some web pages can exhaust the available stack space for the Synapse process due to unbounded recursion. This is sometimes recoverable and leads to an err | ||
| CVE-2021-41281 | — | < 1.47.1 | 1.47.1 | Nov 23, 2021 | Synapse is a package for Matrix homeservers written in Python 3/Twisted. Prior to version 1.47.1, Synapse instances with the media repository enabled can be tricked into downloading a file from a remote server into an arbitrary directory. No authentication is required for the aff | ||
| CVE-2021-39164 | — | < 1.41.1 | 1.41.1 | Aug 31, 2021 | Matrix is an ecosystem for open federated Instant Messaging and Voice over IP. In versions 1.41.0 and prior, unauthorised users can access the membership (list of members, with their display names) of a room if they know the ID of the room. The vulnerability is limited to rooms w | ||
| CVE-2021-39163 | — | < 1.41.1 | 1.41.1 | Aug 31, 2021 | Matrix is an ecosystem for open federated Instant Messaging and Voice over IP. In versions 1.41.0 and prior, unauthorised users can access the name, avatar, topic and number of members of a room if they know the ID of the room. This vulnerability is limited to homeservers where t | ||
| CVE-2021-29471 | — | < 1.33.2 | 1.33.2 | May 11, 2021 | Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.33.2 "Push rules" can specify conditions under which they will match, including `event_match | ||
| CVE-2021-21392 | — | < 1.28.0rc1 | 1.28.0rc1 | Apr 12, 2021 | Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 requests to user provided domains were not restricted to external IP addresses when tra | ||
| CVE-2021-21393 | — | < 1.28.0 | 1.28.0 | Apr 12, 2021 | Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm | ||
| CVE-2021-21394 | — | < 1.28.0 | 1.28.0 | Apr 12, 2021 | Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm | ||
| CVE-2021-21333 | — | < 1.27.0 | 1.27.0 | Mar 26, 2021 | Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.27.0, the notification emails sent for notifications for missed messages or for an expiring | ||
| CVE-2021-21332 | — | < 1.27.0 | 1.27.0 | Mar 26, 2021 | Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.27.0, the password reset endpoint served via Synapse was vulnerable to cross-site scripting | ||
| CVE-2021-21273 | — | < 1.25.0 | 1.25.0 | Feb 26, 2021 | Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.25.0, requests to user provided domains were not restricted to external IP addresses when ca | ||
| CVE-2021-21274 | — | >= 0.99.0, < 1.25.0 | 1.25.0 | Feb 26, 2021 | Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.25.0, a malicious homeserver could redirect requests to their .well-known file to a large fi | ||
| CVE-2020-26257 | — | < 1.23.1 | 1.23.1 | Dec 9, 2020 | Matrix is an ecosystem for open federated Instant Messaging and VoIP. Synapse is a reference "homeserver" implementation of Matrix. A malicious or poorly-implemented homeserver can inject malformed events into a room by specifying a different room id in the path of a `/send_join` | ||
| CVE-2020-26890 | — | < 1.20.0 | 1.20.0 | Nov 24, 2020 | Matrix Synapse before 1.20.0 erroneously permits non-standard NaN, Infinity, and -Infinity JSON values in fields of m.room.member events, allowing remote attackers to execute a denial of service attack against the federation and common Matrix clients. If such a malformed event is | ||
| CVE-2020-26891 | — | < 1.21.0 | 1.21.0 | Oct 19, 2020 | AuthRestServlet in Matrix Synapse before 1.21.0 is vulnerable to XSS due to unsafe interpolation of the session GET parameter. This allows a remote attacker to execute an XSS attack on the domain Synapse is hosted on, by supplying the victim user with a malicious URL to the /_mat | ||
| CVE-2019-18835 | — | < 1.5.0 | 1.5.0 | Nov 7, 2019 | Matrix Synapse before 1.5.0 mishandles signature checking on some federation APIs. Events sent over /send_join, /send_leave, and /invite may not be correctly signed, or may not come from the expected servers. | ||
| CVE-2019-11842 | — | < 0.99.3.1 | 0.99.3.1 | May 9, 2019 | An issue was discovered in Matrix Sydent before 1.0.3 and Synapse before 0.99.3.1. Random number generation is mishandled, which makes it easier for attackers to predict a Sydent authentication token or a Synapse random ID. | ||
| CVE-2019-5885 | — | < 0.34.0.1 | 0.34.0.1 | Mar 19, 2019 | Matrix Synapse before 0.34.0.1, when the macaroon_secret_key authentication parameter is not set, uses a predictable value to derive a secret key and other secrets which could allow remote attackers to impersonate users. |
- CVE-2022-41952Nov 22, 2022affected < 1.53.0fixed 1.53.0
Synapse before 1.52.0 with URL preview functionality enabled will attempt to generate URL previews for media stream URLs without properly limiting connection time. Connections will only be terminated after `max_spider_size` (default: 10M) bytes have been downloaded, which can in
- CVE-2022-31152Sep 2, 2022affected < 1.62.0rc1fixed 1.62.0rc1
Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. The Matrix specification specifies a list of [event authorization rules](https://spec.matrix.org/v1.2/rooms/v9/#authorization-rules) which must be checked when determining if an event
- CVE-2022-31052Jun 28, 2022affected < 1.61.1fixed 1.61.1
Synapse is an open source home server implementation for the Matrix chat network. In versions prior to 1.61.1 URL previews of some web pages can exhaust the available stack space for the Synapse process due to unbounded recursion. This is sometimes recoverable and leads to an err
- CVE-2021-41281Nov 23, 2021affected < 1.47.1fixed 1.47.1
Synapse is a package for Matrix homeservers written in Python 3/Twisted. Prior to version 1.47.1, Synapse instances with the media repository enabled can be tricked into downloading a file from a remote server into an arbitrary directory. No authentication is required for the aff
- CVE-2021-39164Aug 31, 2021affected < 1.41.1fixed 1.41.1
Matrix is an ecosystem for open federated Instant Messaging and Voice over IP. In versions 1.41.0 and prior, unauthorised users can access the membership (list of members, with their display names) of a room if they know the ID of the room. The vulnerability is limited to rooms w
- CVE-2021-39163Aug 31, 2021affected < 1.41.1fixed 1.41.1
Matrix is an ecosystem for open federated Instant Messaging and Voice over IP. In versions 1.41.0 and prior, unauthorised users can access the name, avatar, topic and number of members of a room if they know the ID of the room. This vulnerability is limited to homeservers where t
- CVE-2021-29471May 11, 2021affected < 1.33.2fixed 1.33.2
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.33.2 "Push rules" can specify conditions under which they will match, including `event_match
- CVE-2021-21392Apr 12, 2021affected < 1.28.0rc1fixed 1.28.0rc1
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 requests to user provided domains were not restricted to external IP addresses when tra
- CVE-2021-21393Apr 12, 2021affected < 1.28.0fixed 1.28.0
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm
- CVE-2021-21394Apr 12, 2021affected < 1.28.0fixed 1.28.0
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm
- CVE-2021-21333Mar 26, 2021affected < 1.27.0fixed 1.27.0
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.27.0, the notification emails sent for notifications for missed messages or for an expiring
- CVE-2021-21332Mar 26, 2021affected < 1.27.0fixed 1.27.0
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.27.0, the password reset endpoint served via Synapse was vulnerable to cross-site scripting
- CVE-2021-21273Feb 26, 2021affected < 1.25.0fixed 1.25.0
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.25.0, requests to user provided domains were not restricted to external IP addresses when ca
- CVE-2021-21274Feb 26, 2021affected >= 0.99.0, < 1.25.0fixed 1.25.0
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.25.0, a malicious homeserver could redirect requests to their .well-known file to a large fi
- CVE-2020-26257Dec 9, 2020affected < 1.23.1fixed 1.23.1
Matrix is an ecosystem for open federated Instant Messaging and VoIP. Synapse is a reference "homeserver" implementation of Matrix. A malicious or poorly-implemented homeserver can inject malformed events into a room by specifying a different room id in the path of a `/send_join`
- CVE-2020-26890Nov 24, 2020affected < 1.20.0fixed 1.20.0
Matrix Synapse before 1.20.0 erroneously permits non-standard NaN, Infinity, and -Infinity JSON values in fields of m.room.member events, allowing remote attackers to execute a denial of service attack against the federation and common Matrix clients. If such a malformed event is
- CVE-2020-26891Oct 19, 2020affected < 1.21.0fixed 1.21.0
AuthRestServlet in Matrix Synapse before 1.21.0 is vulnerable to XSS due to unsafe interpolation of the session GET parameter. This allows a remote attacker to execute an XSS attack on the domain Synapse is hosted on, by supplying the victim user with a malicious URL to the /_mat
- CVE-2019-18835Nov 7, 2019affected < 1.5.0fixed 1.5.0
Matrix Synapse before 1.5.0 mishandles signature checking on some federation APIs. Events sent over /send_join, /send_leave, and /invite may not be correctly signed, or may not come from the expected servers.
- CVE-2019-11842May 9, 2019affected < 0.99.3.1fixed 0.99.3.1
An issue was discovered in Matrix Sydent before 1.0.3 and Synapse before 0.99.3.1. Random number generation is mishandled, which makes it easier for attackers to predict a Sydent authentication token or a Synapse random ID.
- CVE-2019-5885Mar 19, 2019affected < 0.34.0.1fixed 0.34.0.1
Matrix Synapse before 0.34.0.1, when the macaroon_secret_key authentication parameter is not set, uses a predictable value to derive a secret key and other secrets which could allow remote attackers to impersonate users.
Page 2 of 3