Insufficient Verification of Data Authenticity

Affecting matrix-synapse package, versions [,1.5.0rc2)

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

matrix-synapse is an ecosystem for open federated Instant Messaging and VoIP.

Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity as it mishandles signature checking on some federation APIs. Events sent over /send_join, /send_leave, and /invite may not be correctly signed, or may not come from expected hosts.

Remediation

Upgrade matrix-synapse to version 1.5.0rc2 or higher.

References

CVSS Score

8.7
high severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Changed
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    None
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
Credit
Unknown
CVE
CVE-2019-18835
CWE
CWE-345
Snyk ID
SNYK-PYTHON-MATRIXSYNAPSE-480456
Disclosed
08 Nov, 2019
Published
08 Nov, 2019