CVE-2023-41335Cleartext Storage of Sensitive Info in Synapse

CWE-312Cleartext Storage of Sensitive Info7 documents6 sources
Severity
3.7LOWNVD
EPSS
0.2%
top 61.00%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Matrix SynapseMatrix-org SynapseFedoraproject Fedora
Timeline
PublishedSep 27
Latest updateApr 22

Description

Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. When users update their passwords, the new credentials may be briefly held in the server database. While this doesn't grant the server any added capabilities—it already learns the users' passwords as part of the authentication process—it does disrupt the expectation that passwords won't be stored in the database. As a result, these passwords could inadvertently be captured in database backups for a l

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:NExploitability: 1.2 | Impact: 2.5

Affected Packages2 packages

NVDmatrix/synapse1.66.01.93.0
CVEListV5matrix-org/synapse>= 1.66.0, < 1.93.0

Also affects: Fedora 37, 38

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
CVE-2023-41335: Synapse is an open-source Matrix homeserver written and maintained by the Matrix2023-09-27
OSV
matrix-synapse vulnerable to temporary storage of plaintext passwords during password changes2023-09-26
GHSA
matrix-synapse vulnerable to temporary storage of plaintext passwords during password changes2023-09-26
CVEList
Temporary storage of plaintext passwords during password changes in matrix synapse2023-09-26

📋Vendor Advisories

2
Ubuntu
Synapse vulnerabilities2025-04-22
Debian
CVE-2023-41335: matrix-synapse - Synapse is an open-source Matrix homeserver written and maintained by the Matrix...2023
CVE-2023-41335 — Cleartext Storage of Sensitive Info | cvebase