CVE-2022-39335Sensitive Information Exposure in Synapse

CWE-200Sensitive Information ExposureCWE-862Missing Authorization7 documents6 sources
Severity
5.0MEDIUMNVD
EPSS
0.2%
top 63.81%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Matrix-org SynapseMatrix Synapse
Timeline
PublishedMay 26
Latest updateApr 22

Description

Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. The Matrix Federation API allows remote homeservers to request the authorization events in a room. This is necessary so that a homeserver receiving some events can validate that those events are legitimate and permitted in their room. However, in versions of Synapse up to and including 1.68.0, a Synapse homeserver answering a query for authorization events does not sufficiently check that the request

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:LExploitability: 1.6 | Impact: 3.4

Affected Packages2 packages

NVDmatrix/synapse< 1.69.0
CVEListV5matrix-org/synapse< 1.69.0

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
CVE-2022-39335: Synapse is an open-source Matrix homeserver written and maintained by the Matrix2023-05-26
CVEList
Synapse does not apply enough checks to servers requesting auth events of events in a room2023-05-26
GHSA
Synapse does not apply enough checks to servers requesting auth events of events in a room2023-05-24
OSV
Synapse does not apply enough checks to servers requesting auth events of events in a room2023-05-24

📋Vendor Advisories

2
Ubuntu
Synapse vulnerabilities2025-04-22
Debian
CVE-2022-39335: matrix-synapse - Synapse is an open-source Matrix homeserver written and maintained by the Matrix...2022
CVE-2022-39335 — Sensitive Information Exposure | cvebase