PyPI package
matrix-synapse
pkg:pypi/matrix-synapse
Vulnerabilities (44)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2018-16515 | — | >= 0.33.3, < 0.33.3.1 | 0.33.3.1 | Sep 18, 2018 | Matrix Synapse before 0.33.3.1 allows remote attackers to spoof events and possibly have unspecified other impacts by leveraging improper transaction and event signature validation. | ||
| CVE-2018-12423 | — | < 0.31.2 | 0.31.2 | Jun 14, 2018 | In Synapse before 0.31.2, unauthorised users can hijack rooms when there is no m.room.power_levels event in force. | ||
| CVE-2018-12291 | — | < 0.31.1 | 0.31.1 | Jun 13, 2018 | The on_get_missing_events function in handlers/federation.py in Matrix Synapse before 0.31.1 has a security bug in the get_missing_events federation API where event visibility rules were not applied correctly. | ||
| CVE-2018-10657 | — | < 0.28.1 | 0.28.1 | May 2, 2018 | Matrix Synapse before 0.28.1 is prone to a denial of service flaw where malicious events injected with depth = 2^63 - 1 render rooms unusable, related to federation/federation_base.py and handlers/message.py, as exploited in the wild in April 2018. |
- CVE-2018-16515Sep 18, 2018affected >= 0.33.3, < 0.33.3.1fixed 0.33.3.1
Matrix Synapse before 0.33.3.1 allows remote attackers to spoof events and possibly have unspecified other impacts by leveraging improper transaction and event signature validation.
- CVE-2018-12423Jun 14, 2018affected < 0.31.2fixed 0.31.2
In Synapse before 0.31.2, unauthorised users can hijack rooms when there is no m.room.power_levels event in force.
- CVE-2018-12291Jun 13, 2018affected < 0.31.1fixed 0.31.1
The on_get_missing_events function in handlers/federation.py in Matrix Synapse before 0.31.1 has a security bug in the get_missing_events federation API where event visibility rules were not applied correctly.
- CVE-2018-10657May 2, 2018affected < 0.28.1fixed 0.28.1
Matrix Synapse before 0.28.1 is prone to a denial of service flaw where malicious events injected with depth = 2^63 - 1 render rooms unusable, related to federation/federation_base.py and handlers/message.py, as exploited in the wild in April 2018.
Page 3 of 3