Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWh4bXAtcHFjaC1jOG1t
Denial of service attack via incorrect parameters in Matrix Synapse
Impact
A malicious or poorly-implemented homeserver can inject malformed events into a room by specifying a different room id in the path of a /send_join
, /send_leave
, /invite
or /exchange_third_party_invite
request.
This can lead to a denial of service in which future events will not be correctly sent to other servers over federation.
This affects any server which accepts federation requests from untrusted servers.
Patches
Issue is resolved by https://github.com/matrix-org/synapse/pull/8776.
Workarounds
Homeserver administrators could limit access to the federation API to trusted servers (for example via federation_domain_whitelist
).
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWh4bXAtcHFjaC1jOG1t
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 3 years ago
Updated: about 1 year ago
CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-hxmp-pqch-c8mm, CVE-2020-26257
References:
- https://github.com/matrix-org/synapse/security/advisories/GHSA-hxmp-pqch-c8mm
- https://github.com/matrix-org/synapse/pull/8776
- https://github.com/matrix-org/synapse/commit/3ce2f303f15f6ac3dc352298972dc6e04d9b7a8b
- https://github.com/matrix-org/synapse/blob/develop/CHANGES.md#synapse-1231-2020-12-09
- https://nvd.nist.gov/vuln/detail/CVE-2020-26257
- https://lists.fedoraproject.org/archives/list/[email protected]/message/DBTIU3ZNBFWZ56V4X7JIAD33V5H2GOMC/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/QR4MMYZKX5N5GYGH4H5LBUUC5TLAFHI7/
- https://github.com/advisories/GHSA-hxmp-pqch-c8mm
Blast Radius: 9.2
Affected Packages
pypi:matrix-synapse
Dependent packages: 3Dependent repositories: 26
Downloads: 12,228 last month
Affected Version Ranges: < 1.23.1
Fixed in: 1.23.1
All affected versions: 0.33.5, 0.33.6, 0.33.7, 0.33.8, 0.33.9, 0.34.0, 0.99.0, 0.99.1, 0.99.2, 0.99.3, 0.99.4, 0.99.5, 1.0.0, 1.1.0, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.5.0, 1.5.1, 1.6.0, 1.6.1, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.8.0, 1.9.0, 1.9.1, 1.10.0, 1.10.1, 1.11.0, 1.11.1, 1.12.0, 1.12.1, 1.12.2, 1.12.3, 1.12.4, 1.13.0, 1.14.0, 1.15.0, 1.15.1, 1.15.2, 1.16.0, 1.16.1, 1.17.0, 1.18.0, 1.19.0, 1.19.1, 1.19.2, 1.19.3, 1.20.0, 1.20.1, 1.21.0, 1.21.1, 1.21.2, 1.22.0, 1.22.1, 1.23.0
All unaffected versions: 1.23.1, 1.24.0, 1.25.0, 1.26.0, 1.27.0, 1.28.0, 1.29.0, 1.30.0, 1.30.1, 1.31.0, 1.32.0, 1.32.1, 1.32.2, 1.33.0, 1.33.1, 1.33.2, 1.34.0, 1.35.0, 1.35.1, 1.36.0, 1.37.0, 1.37.1, 1.38.0, 1.38.1, 1.39.0, 1.40.0, 1.41.0, 1.41.1, 1.42.0, 1.43.0, 1.44.0, 1.45.0, 1.45.1, 1.46.0, 1.47.0, 1.47.1, 1.48.0, 1.49.0, 1.49.2, 1.50.0, 1.50.1, 1.50.2, 1.51.0, 1.52.0, 1.53.0, 1.54.0, 1.55.0, 1.55.1, 1.55.2, 1.56.0, 1.57.0, 1.57.1, 1.58.0, 1.58.1, 1.59.0, 1.59.1, 1.60.0, 1.61.0, 1.61.1, 1.62.0, 1.63.0, 1.63.1, 1.64.0, 1.65.0, 1.66.0, 1.67.0, 1.68.0, 1.69.0, 1.70.0, 1.70.1, 1.71.0, 1.72.0, 1.73.0, 1.74.0, 1.75.0, 1.76.0, 1.77.0, 1.78.0, 1.79.0, 1.80.0, 1.81.0, 1.82.0, 1.83.0, 1.84.0, 1.84.1, 1.85.0, 1.85.1, 1.85.2, 1.86.0, 1.87.0, 1.88.0, 1.89.0, 1.90.0, 1.91.0, 1.91.1, 1.91.2, 1.92.1, 1.92.2, 1.92.3, 1.93.0, 1.94.0, 1.95.0, 1.95.1, 1.96.1, 1.97.0, 1.98.0, 1.99.0, 1.100.0, 1.101.0, 1.102.0, 1.103.0, 1.104.0, 1.105.0