rpm package
opensuse/matrix-synapse&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/matrix-synapse&distro=openSUSE%20Tumbleweed
Vulnerabilities (35)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2023-32683 | — | < 1.85.2-1.1 | 1.85.2-1.1 | Jun 6, 2023 | Synapse is a Matrix protocol homeserver written in Python with the Twisted framework. A discovered oEmbed or image URL can bypass the `url_preview_url_blacklist` setting potentially allowing server side request forgery or bypassing network policies. Impact is limited to IP addres | ||
| CVE-2023-32682 | — | < 1.85.2-1.1 | 1.85.2-1.1 | Jun 6, 2023 | Synapse is a Matrix protocol homeserver written in Python with the Twisted framework. In affected versions it may be possible for a deactivated user to login when using uncommon configurations. This only applies if any of the following are true: 1. JSON Web Tokens are enabled for | ||
| CVE-2022-31052 | — | < 1.61.1-1.1 | 1.61.1-1.1 | Jun 28, 2022 | Synapse is an open source home server implementation for the Matrix chat network. In versions prior to 1.61.1 URL previews of some web pages can exhaust the available stack space for the Synapse process due to unbounded recursion. This is sometimes recoverable and leads to an err | ||
| CVE-2021-41281 | — | < 1.47.1-1.1 | 1.47.1-1.1 | Nov 23, 2021 | Synapse is a package for Matrix homeservers written in Python 3/Twisted. Prior to version 1.47.1, Synapse instances with the media repository enabled can be tricked into downloading a file from a remote server into an arbitrary directory. No authentication is required for the aff | ||
| CVE-2021-39164 | — | < 1.43.0-1.1 | 1.43.0-1.1 | Aug 31, 2021 | Matrix is an ecosystem for open federated Instant Messaging and Voice over IP. In versions 1.41.0 and prior, unauthorised users can access the membership (list of members, with their display names) of a room if they know the ID of the room. The vulnerability is limited to rooms w | ||
| CVE-2021-39163 | — | < 1.43.0-1.1 | 1.43.0-1.1 | Aug 31, 2021 | Matrix is an ecosystem for open federated Instant Messaging and Voice over IP. In versions 1.41.0 and prior, unauthorised users can access the name, avatar, topic and number of members of a room if they know the ID of the room. This vulnerability is limited to homeservers where t | ||
| CVE-2021-29471 | — | < 1.43.0-1.1 | 1.43.0-1.1 | May 11, 2021 | Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.33.2 "Push rules" can specify conditions under which they will match, including `event_match | ||
| CVE-2021-3449 | — | < 1.43.0-1.1 | 1.43.0-1.1 | Mar 25, 2021 | An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_ce | ||
| CVE-2020-26257 | — | < 1.43.0-1.1 | 1.43.0-1.1 | Dec 9, 2020 | Matrix is an ecosystem for open federated Instant Messaging and VoIP. Synapse is a reference "homeserver" implementation of Matrix. A malicious or poorly-implemented homeserver can inject malformed events into a room by specifying a different room id in the path of a `/send_join` | ||
| CVE-2020-1971 | Med | 5.9 | < 1.43.0-1.1 | 1.43.0-1.1 | Dec 8, 2020 | The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This functi | |
| CVE-2020-26891 | — | < 1.43.0-1.1 | 1.43.0-1.1 | Oct 19, 2020 | AuthRestServlet in Matrix Synapse before 1.21.0 is vulnerable to XSS due to unsafe interpolation of the session GET parameter. This allows a remote attacker to execute an XSS attack on the domain Synapse is hosted on, by supplying the victim user with a malicious URL to the /_mat | ||
| CVE-2020-10108 | — | < 1.43.0-1.1 | 1.43.0-1.1 | Mar 12, 2020 | In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with two content-length headers, it ignored the first header. When the second content-length value was set to zero, the request body was interpreted as a pipelined request. | ||
| CVE-2020-10109 | — | < 1.43.0-1.1 | 1.43.0-1.1 | Mar 12, 2020 | In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request. | ||
| CVE-2019-5885 | — | < 1.43.0-1.1 | 1.43.0-1.1 | Mar 19, 2019 | Matrix Synapse before 0.34.0.1, when the macaroon_secret_key authentication parameter is not set, uses a predictable value to derive a secret key and other secrets which could allow remote attackers to impersonate users. | ||
| CVE-2018-12291 | Hig | 7.5 | < 1.43.0-1.1 | 1.43.0-1.1 | Jun 13, 2018 | The on_get_missing_events function in handlers/federation.py in Matrix Synapse before 0.31.1 has a security bug in the get_missing_events federation API where event visibility rules were not applied correctly. |
- CVE-2023-32683Jun 6, 2023affected < 1.85.2-1.1fixed 1.85.2-1.1
Synapse is a Matrix protocol homeserver written in Python with the Twisted framework. A discovered oEmbed or image URL can bypass the `url_preview_url_blacklist` setting potentially allowing server side request forgery or bypassing network policies. Impact is limited to IP addres
- CVE-2023-32682Jun 6, 2023affected < 1.85.2-1.1fixed 1.85.2-1.1
Synapse is a Matrix protocol homeserver written in Python with the Twisted framework. In affected versions it may be possible for a deactivated user to login when using uncommon configurations. This only applies if any of the following are true: 1. JSON Web Tokens are enabled for
- CVE-2022-31052Jun 28, 2022affected < 1.61.1-1.1fixed 1.61.1-1.1
Synapse is an open source home server implementation for the Matrix chat network. In versions prior to 1.61.1 URL previews of some web pages can exhaust the available stack space for the Synapse process due to unbounded recursion. This is sometimes recoverable and leads to an err
- CVE-2021-41281Nov 23, 2021affected < 1.47.1-1.1fixed 1.47.1-1.1
Synapse is a package for Matrix homeservers written in Python 3/Twisted. Prior to version 1.47.1, Synapse instances with the media repository enabled can be tricked into downloading a file from a remote server into an arbitrary directory. No authentication is required for the aff
- CVE-2021-39164Aug 31, 2021affected < 1.43.0-1.1fixed 1.43.0-1.1
Matrix is an ecosystem for open federated Instant Messaging and Voice over IP. In versions 1.41.0 and prior, unauthorised users can access the membership (list of members, with their display names) of a room if they know the ID of the room. The vulnerability is limited to rooms w
- CVE-2021-39163Aug 31, 2021affected < 1.43.0-1.1fixed 1.43.0-1.1
Matrix is an ecosystem for open federated Instant Messaging and Voice over IP. In versions 1.41.0 and prior, unauthorised users can access the name, avatar, topic and number of members of a room if they know the ID of the room. This vulnerability is limited to homeservers where t
- CVE-2021-29471May 11, 2021affected < 1.43.0-1.1fixed 1.43.0-1.1
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.33.2 "Push rules" can specify conditions under which they will match, including `event_match
- CVE-2021-3449Mar 25, 2021affected < 1.43.0-1.1fixed 1.43.0-1.1
An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_ce
- CVE-2020-26257Dec 9, 2020affected < 1.43.0-1.1fixed 1.43.0-1.1
Matrix is an ecosystem for open federated Instant Messaging and VoIP. Synapse is a reference "homeserver" implementation of Matrix. A malicious or poorly-implemented homeserver can inject malformed events into a room by specifying a different room id in the path of a `/send_join`
- affected < 1.43.0-1.1fixed 1.43.0-1.1
The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This functi
- CVE-2020-26891Oct 19, 2020affected < 1.43.0-1.1fixed 1.43.0-1.1
AuthRestServlet in Matrix Synapse before 1.21.0 is vulnerable to XSS due to unsafe interpolation of the session GET parameter. This allows a remote attacker to execute an XSS attack on the domain Synapse is hosted on, by supplying the victim user with a malicious URL to the /_mat
- CVE-2020-10108Mar 12, 2020affected < 1.43.0-1.1fixed 1.43.0-1.1
In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with two content-length headers, it ignored the first header. When the second content-length value was set to zero, the request body was interpreted as a pipelined request.
- CVE-2020-10109Mar 12, 2020affected < 1.43.0-1.1fixed 1.43.0-1.1
In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request.
- CVE-2019-5885Mar 19, 2019affected < 1.43.0-1.1fixed 1.43.0-1.1
Matrix Synapse before 0.34.0.1, when the macaroon_secret_key authentication parameter is not set, uses a predictable value to derive a secret key and other secrets which could allow remote attackers to impersonate users.
- affected < 1.43.0-1.1fixed 1.43.0-1.1
The on_get_missing_events function in handlers/federation.py in Matrix Synapse before 0.31.1 has a security bug in the get_missing_events federation API where event visibility rules were not applied correctly.
Page 2 of 2