VYPR

rpm package

opensuse/matrix-synapse&distro=openSUSE Tumbleweed

pkg:rpm/opensuse/matrix-synapse&distro=openSUSE%20Tumbleweed

Vulnerabilities (35)

  • CVE-2023-32683Jun 6, 2023
    affected < 1.85.2-1.1fixed 1.85.2-1.1

    Synapse is a Matrix protocol homeserver written in Python with the Twisted framework. A discovered oEmbed or image URL can bypass the `url_preview_url_blacklist` setting potentially allowing server side request forgery or bypassing network policies. Impact is limited to IP addres

  • CVE-2023-32682Jun 6, 2023
    affected < 1.85.2-1.1fixed 1.85.2-1.1

    Synapse is a Matrix protocol homeserver written in Python with the Twisted framework. In affected versions it may be possible for a deactivated user to login when using uncommon configurations. This only applies if any of the following are true: 1. JSON Web Tokens are enabled for

  • CVE-2022-31052Jun 28, 2022
    affected < 1.61.1-1.1fixed 1.61.1-1.1

    Synapse is an open source home server implementation for the Matrix chat network. In versions prior to 1.61.1 URL previews of some web pages can exhaust the available stack space for the Synapse process due to unbounded recursion. This is sometimes recoverable and leads to an err

  • CVE-2021-41281Nov 23, 2021
    affected < 1.47.1-1.1fixed 1.47.1-1.1

    Synapse is a package for Matrix homeservers written in Python 3/Twisted. Prior to version 1.47.1, Synapse instances with the media repository enabled can be tricked into downloading a file from a remote server into an arbitrary directory. No authentication is required for the aff

  • CVE-2021-39164Aug 31, 2021
    affected < 1.43.0-1.1fixed 1.43.0-1.1

    Matrix is an ecosystem for open federated Instant Messaging and Voice over IP. In versions 1.41.0 and prior, unauthorised users can access the membership (list of members, with their display names) of a room if they know the ID of the room. The vulnerability is limited to rooms w

  • CVE-2021-39163Aug 31, 2021
    affected < 1.43.0-1.1fixed 1.43.0-1.1

    Matrix is an ecosystem for open federated Instant Messaging and Voice over IP. In versions 1.41.0 and prior, unauthorised users can access the name, avatar, topic and number of members of a room if they know the ID of the room. This vulnerability is limited to homeservers where t

  • CVE-2021-29471May 11, 2021
    affected < 1.43.0-1.1fixed 1.43.0-1.1

    Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.33.2 "Push rules" can specify conditions under which they will match, including `event_match

  • CVE-2021-3449Mar 25, 2021
    affected < 1.43.0-1.1fixed 1.43.0-1.1

    An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_ce

  • CVE-2020-26257Dec 9, 2020
    affected < 1.43.0-1.1fixed 1.43.0-1.1

    Matrix is an ecosystem for open federated Instant Messaging and VoIP. Synapse is a reference "homeserver" implementation of Matrix. A malicious or poorly-implemented homeserver can inject malformed events into a room by specifying a different room id in the path of a `/send_join`

  • CVE-2020-1971MedDec 8, 2020
    affected < 1.43.0-1.1fixed 1.43.0-1.1

    The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This functi

  • CVE-2020-26891Oct 19, 2020
    affected < 1.43.0-1.1fixed 1.43.0-1.1

    AuthRestServlet in Matrix Synapse before 1.21.0 is vulnerable to XSS due to unsafe interpolation of the session GET parameter. This allows a remote attacker to execute an XSS attack on the domain Synapse is hosted on, by supplying the victim user with a malicious URL to the /_mat

  • CVE-2020-10108Mar 12, 2020
    affected < 1.43.0-1.1fixed 1.43.0-1.1

    In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with two content-length headers, it ignored the first header. When the second content-length value was set to zero, the request body was interpreted as a pipelined request.

  • CVE-2020-10109Mar 12, 2020
    affected < 1.43.0-1.1fixed 1.43.0-1.1

    In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request.

  • CVE-2019-5885Mar 19, 2019
    affected < 1.43.0-1.1fixed 1.43.0-1.1

    Matrix Synapse before 0.34.0.1, when the macaroon_secret_key authentication parameter is not set, uses a predictable value to derive a secret key and other secrets which could allow remote attackers to impersonate users.

  • CVE-2018-12291HigJun 13, 2018
    affected < 1.43.0-1.1fixed 1.43.0-1.1

    The on_get_missing_events function in handlers/federation.py in Matrix Synapse before 0.31.1 has a security bug in the get_missing_events federation API where event visibility rules were not applied correctly.

Page 2 of 2