PyPI package
matrix-synapse
pkg:pypi/matrix-synapse
Vulnerabilities (44)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2018-16515 | Hig | 8.8 | >= 0.33.3, < 0.33.3.1 | 0.33.3.1 | Sep 18, 2018 | Matrix Synapse before 0.33.3.1 allows remote attackers to spoof events and possibly have unspecified other impacts by leveraging improper transaction and event signature validation. | |
| CVE-2018-12423 | Hig | 7.5 | < 0.31.2 | 0.31.2 | Jun 14, 2018 | In Synapse before 0.31.2, unauthorised users can hijack rooms when there is no m.room.power_levels event in force. | |
| CVE-2018-12291 | Hig | 7.5 | < 0.31.1 | 0.31.1 | Jun 13, 2018 | The on_get_missing_events function in handlers/federation.py in Matrix Synapse before 0.31.1 has a security bug in the get_missing_events federation API where event visibility rules were not applied correctly. | |
| CVE-2018-10657 | Hig | 7.5 | < 0.28.1 | 0.28.1 | May 2, 2018 | Matrix Synapse before 0.28.1 is prone to a denial of service flaw where malicious events injected with depth = 2^63 - 1 render rooms unusable, related to federation/federation_base.py and handlers/message.py, as exploited in the wild in April 2018. |
- affected >= 0.33.3, < 0.33.3.1fixed 0.33.3.1
Matrix Synapse before 0.33.3.1 allows remote attackers to spoof events and possibly have unspecified other impacts by leveraging improper transaction and event signature validation.
- affected < 0.31.2fixed 0.31.2
In Synapse before 0.31.2, unauthorised users can hijack rooms when there is no m.room.power_levels event in force.
- affected < 0.31.1fixed 0.31.1
The on_get_missing_events function in handlers/federation.py in Matrix Synapse before 0.31.1 has a security bug in the get_missing_events federation API where event visibility rules were not applied correctly.
- affected < 0.28.1fixed 0.28.1
Matrix Synapse before 0.28.1 is prone to a denial of service flaw where malicious events injected with depth = 2^63 - 1 render rooms unusable, related to federation/federation_base.py and handlers/message.py, as exploited in the wild in April 2018.
Page 3 of 3