CVE-2019-18835Insufficient Verification of Data Authenticity in Synapse

CWE-345Insufficient Verification of Data AuthenticityCWE-347Improper Verification of Cryptographic Signature10 documents7 sources
Severity
9.8CRITICALNVD
OSV7.5
EPSS
0.2%
top 62.74%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Matrix Synapse
Timeline
PublishedNov 8
Latest updateMay 16

Description

Matrix Synapse before 1.5.0 mishandles signature checking on some federation APIs. Events sent over /send_join, /send_leave, and /invite may not be correctly signed, or may not come from the expected servers.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

NVDmatrix/synapse< 1.5.0

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

5
OSV
matrix-synapse vulnerabilities2023-05-16
OSV
Improper Verification of Cryptographic Signature in matrix-synapse2022-05-24
GHSA
Improper Verification of Cryptographic Signature in matrix-synapse2022-05-24
OSV
CVE-2019-18835: Matrix Synapse before 12019-11-08
CVEList
CVE-2019-18835: Matrix Synapse before 12019-11-07

📋Vendor Advisories

2
Ubuntu
Synapse vulnerabilities2023-05-16
Debian
CVE-2019-18835: matrix-synapse - Matrix Synapse before 1.5.0 mishandles signature checking on some federation API...2019

💬Community

2
Bugzilla
CVE-2019-18835 matrix-synapse: mishandles signature checking on some federation APIs [fedora-all]2019-11-08
Bugzilla
CVE-2019-18835 matrix-synapse: mishandles signature checking on some federation APIs2019-11-08
CVE-2019-18835 — Matrix Synapse vulnerability | cvebase