Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS1wZnc0LXhqZ20tMjY3Y84AAuzz

Dendrite signature checks not applied to some retrieved missing events

Impact

Events retrieved from a remote homeserver using /get_missing_events did not have their signatures verified correctly. This could potentially allow a remote homeserver to provide invalid/modified events to Dendrite via this endpoint.

Note that this does not apply to events retrieved through other endpoints (e.g. /event, /state) as they have been correctly verified.

Homeservers that have federation disabled are not vulnerable.

Patches

The problem has been fixed in Dendrite 0.9.8.

Workarounds

There are no workarounds.

Special thanks

Tulir Asokan, who spotted the issue originally.

Permalink: https://github.com/advisories/GHSA-pfw4-xjgm-267c
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wZnc0LXhqZ20tMjY3Y84AAuzz
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: about 1 year ago

CVSS Score: 7.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Identifiers: GHSA-pfw4-xjgm-267c, CVE-2022-39200
References:

• https://github.com/matrix-org/dendrite/security/advisories/GHSA-pfw4-xjgm-267c
• https://nvd.nist.gov/vuln/detail/CVE-2022-39200
• https://github.com/matrix-org/dendrite/commit/2792d0490f3771488bad346981b8c26479a872c3
• https://github.com/advisories/GHSA-pfw4-xjgm-267c

Repository: https://github.com/matrix-org/dendrite
Blast Radius: 2.2

Affected Packages