Rapid7 Vulnerability & Exploit Database

FreeBSD: VID-38D2DF4D-B143-11E9-87E7-901B0E934D69: py-matrix-synapse -- multiple vulnerabilities

Free InsightVM Trial No Credit Card Necessary
2024 Attack Intel Report Latest research by Rapid7 Labs
Back to Search

FreeBSD: VID-38D2DF4D-B143-11E9-87E7-901B0E934D69: py-matrix-synapse -- multiple vulnerabilities

Severity
4
CVSS
(AV:L/AC:M/Au:N/C:P/I:P/A:P)
Published
07/26/2019
Created
07/29/2019
Added
07/29/2019
Modified
07/29/2019

Description

Matrix developers report:

The matrix team releases Synapse 1.2.1 as a critical security update. It contains patches relating to redactions and event federation:

Prevent an attack where a federated server could send redactions for arbitrary events in v1 and v2 rooms.

Prevent a denial-of-service attack where cycles of redaction events would make Synapse spin infinitely.

Prevent an attack where users could be joined or parted from public rooms without their consent.

Fix a vulnerability where a federated server could spoof read-receipts from users on other servers.

It was possible for a room moderator to send a redaction for an m.room.create event, which would downgrade the room to version 1.

Solution(s)

  • freebsd-upgrade-package-py27-matrix-synapse
  • freebsd-upgrade-package-py35-matrix-synapse
  • freebsd-upgrade-package-py36-matrix-synapse
  • freebsd-upgrade-package-py37-matrix-synapse

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;