CVE-2019-5885Use of Insufficiently Random Values in Synapse

CWE-330Use of Insufficiently Random Values7 documents6 sources
Severity
7.5HIGHNVD
EPSS
0.8%
top 26.19%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Matrix SynapseFedoraproject Fedora
Timeline
PublishedMar 21
Latest updateMay 16

Description

Matrix Synapse before 0.34.0.1, when the macaroon_secret_key authentication parameter is not set, uses a predictable value to derive a secret key and other secrets which could allow remote attackers to impersonate users.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages1 packages

NVDmatrix/synapse< 0.34.0.1

Also affects: Fedora 28, 29

🔴Vulnerability Details

4
OSV
Matrix Synapse Predictable Secret Key2022-05-13
GHSA
Matrix Synapse Predictable Secret Key2022-05-13
OSV
CVE-2019-5885: Matrix Synapse before 02019-03-21
CVEList
CVE-2019-5885: Matrix Synapse before 02019-03-19

📋Vendor Advisories

2
Ubuntu
Synapse vulnerabilities2023-05-16
Debian
CVE-2019-5885: matrix-synapse - Matrix Synapse before 0.34.0.1, when the macaroon_secret_key authentication para...2019
CVE-2019-5885 — Use of Insufficiently Random Values | cvebase