CVE-2019-18835: Matrix Synapse before 1.5.0 mishandles signature checking on some federation APIs. Events sent over /send_join, /send_leave, and /invite may not be correctly…

critical9.8CVSS 3.1

AVNACLPRNUINSUCHIHAH

Matrix Synapse before 1.5.0 mishandles signature checking on some federation APIs. Events sent over /send_join, /send_leave, and /invite may not be correctly signed, or may not come from the expected servers.

Affected

2 ranges

Vendor	Product	Version range	Fixed in
debian	matrix-synapse	< matrix-synapse 1.5.0-1 (forky)	matrix-synapse 1.5.0-1 (forky)
matrix	synapse	< 1.5.0	1.5.0

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

osv9.8CRITICAL