Matrix: >> Synapse >> 0.28.1 Security Vulnerabilities
An issue was discovered in Matrix Sydent before 1.0.3 and Synapse before 0.99.3.1. Random number generation is mishandled, which makes it easier for attackers to predict a Sydent authentication token or a Synapse random ID.
CVSS Score
7.5
EPSS Score
0.005
Published
2019-05-09
Matrix Synapse before 0.34.0.1, when the macaroon_secret_key authentication parameter is not set, uses a predictable value to derive a secret key and other secrets which could allow remote attackers to impersonate users.
CVSS Score
7.5
EPSS Score
0.008
Published
2019-03-21
Matrix Synapse before 0.33.3.1 allows remote attackers to spoof events and possibly have unspecified other impacts by leveraging improper transaction and event signature validation.
CVSS Score
8.8
EPSS Score
0.006
Published
2018-09-18
In Synapse before 0.31.2, unauthorised users can hijack rooms when there is no m.room.power_levels event in force.
CVSS Score
7.5
EPSS Score
0.003
Published
2018-06-14
The on_get_missing_events function in handlers/federation.py in Matrix Synapse before 0.31.1 has a security bug in the get_missing_events federation API where event visibility rules were not applied correctly.
CVSS Score
7.5
EPSS Score
0.002
Published
2018-06-13
Page 4