Matrix: >> Synapse >> 0.18.5 Security Vulnerabilities
Matrix Synapse before 0.34.0.1, when the macaroon_secret_key authentication parameter is not set, uses a predictable value to derive a secret key and other secrets which could allow remote attackers to impersonate users.
CVSS Score
7.5
EPSS Score
0.008
Published
2019-03-21
Matrix Synapse before 0.33.3.1 allows remote attackers to spoof events and possibly have unspecified other impacts by leveraging improper transaction and event signature validation.
CVSS Score
8.8
EPSS Score
0.006
Published
2018-09-18
In Synapse before 0.31.2, unauthorised users can hijack rooms when there is no m.room.power_levels event in force.
CVSS Score
7.5
EPSS Score
0.003
Published
2018-06-14
The on_get_missing_events function in handlers/federation.py in Matrix Synapse before 0.31.1 has a security bug in the get_missing_events federation API where event visibility rules were not applied correctly.
CVSS Score
7.5
EPSS Score
0.002
Published
2018-06-13
Matrix Synapse before 0.28.1 is prone to a denial of service flaw where malicious events injected with depth = 2^63 - 1 render rooms unusable, related to federation/federation_base.py and handlers/message.py, as exploited in the wild in April 2018.
CVSS Score
7.5
EPSS Score
0.004
Published
2018-05-02
Page 4