Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1wZnc0LXhqZ20tMjY3Y84AAuzz
Dendrite signature checks not applied to some retrieved missing events
Impact
Events retrieved from a remote homeserver using /get_missing_events
did not have their signatures verified correctly. This could potentially allow a remote homeserver to provide invalid/modified events to Dendrite via this endpoint.
Note that this does not apply to events retrieved through other endpoints (e.g. /event
, /state
) as they have been correctly verified.
Homeservers that have federation disabled are not vulnerable.
Patches
The problem has been fixed in Dendrite 0.9.8.
Workarounds
There are no workarounds.
Special thanks
Tulir Asokan, who spotted the issue originally.
Permalink: https://github.com/advisories/GHSA-pfw4-xjgm-267cJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wZnc0LXhqZ20tMjY3Y84AAuzz
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: about 1 year ago
CVSS Score: 7.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Identifiers: GHSA-pfw4-xjgm-267c, CVE-2022-39200
References:
- https://github.com/matrix-org/dendrite/security/advisories/GHSA-pfw4-xjgm-267c
- https://nvd.nist.gov/vuln/detail/CVE-2022-39200
- https://github.com/matrix-org/dendrite/commit/2792d0490f3771488bad346981b8c26479a872c3
- https://github.com/advisories/GHSA-pfw4-xjgm-267c
Blast Radius: 2.2
Affected Packages
go:github.com/matrix-org/dendrite
Dependent packages: 5Dependent repositories: 2
Downloads:
Affected Version Ranges: < 0.9.8
Fixed in: 0.9.8
All affected versions: 0.1.0, 0.2.0, 0.2.1, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.3.6, 0.3.7, 0.3.8, 0.3.9, 0.3.10, 0.3.11, 0.4.0, 0.4.1, 0.5.0, 0.5.1, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.6.4, 0.6.5, 0.7.0, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.8.5, 0.8.6, 0.8.7, 0.8.8, 0.8.9, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.9.4, 0.9.5, 0.9.6, 0.9.7
All unaffected versions: 0.9.8, 0.9.9, 0.10.0, 0.10.1, 0.10.2, 0.10.3, 0.10.4, 0.10.5, 0.10.6, 0.10.7, 0.10.8, 0.10.9, 0.11.0, 0.11.1, 0.12.0, 0.13.0, 0.13.1, 0.13.2, 0.13.3, 0.13.4, 0.13.5, 0.13.6, 0.13.7