GHSA-56w4-5538-8v8h

Опубликовано: 03 дек. 2024

Источник: github

Github: Прошло ревью

CVSS3: 4.3

Описание

Synapse Matrix has a partial room state leak via Sliding Sync

Impact

The Sliding Sync feature on Synapse versions between 1.113.0rc1 and 1.120.0 can leak partial room state changes to users no longer in a room. Non-state events, like messages, are unaffected.

Patches

Synapse version 1.120.1 fixes the problem.

Workarounds

Disable Sliding Sync.

References

https://github.com/matrix-org/matrix-spec-proposals/pull/4186 https://github.com/element-hq/synapse/blob/d80cd57c54427687afcb48740d99219c88a0fff1/synapse/config/experimental.py#L341-L344

For more information

If you have any questions or comments about this advisory, please email us at security at element.io.

Ссылки

Пакеты

Наименование

matrix-synapse

pip

Затронутые версииВерсия исправления

>= 1.113.0rc1, < 1.120.1

1.120.1

EPSS

Процентиль: 27%

0.00098

Низкий

4.3 Medium

CVSS3

CVE ID

CVE-2024-53867

Дефекты

CWE-497

Связанные уязвимости

CVE-2024-53867

CVSS3: 4.3

ubuntu

около 1 года назад

Synapse is an open-source Matrix homeserver. The Sliding Sync feature on Synapse versions between 1.113.0rc1 and 1.120.0 can leak partial room state changes to users no longer in a room. Non-state events, like messages, are unaffected. This vulnerability is fixed in 1.120.1.

CVE-2024-53867

CVSS3: 4.3

nvd

около 1 года назад

CVE-2024-53867

CVSS3: 4.3

debian

около 1 года назад

Synapse is an open-source Matrix homeserver. The Sliding Sync feature ...

EPSS

Процентиль: 27%

0.00098

Низкий

4.3 Medium

CVSS3

CVE ID

CVE-2024-53867

Дефекты

CWE-497