CVE-2023-42453Improper Authorization in Synapse

CWE-285Improper Authorization7 documents6 sources
Severity
4.3MEDIUMNVD
CNA3.1
EPSS
0.2%
top 54.63%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Matrix SynapseMatrix-org SynapseFedoraproject Fedora
Timeline
PublishedSep 27
Latest updateApr 22

Description

Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. Users were able to forge read receipts for any event (if they knew the room ID and event ID). Note that the users were not able to view the events, but simply mark it as read. This could be confusing as clients will show the event as read by the user, even if they are not in the room. This issue has been patched in version 1.93.0. Users are advised to upgrade. There are no known workarounds for this

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

NVDmatrix/synapse1.34.01.93.0
CVEListV5matrix-org/synapse>= 0.34.0, < 1.93.0

Also affects: Fedora 37, 38

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
CVE-2023-42453: Synapse is an open-source Matrix homeserver written and maintained by the Matrix2023-09-27
CVEList
Improper validation of receipts allows forged read receipts in matrix synapse2023-09-26
GHSA
matrix-synapse vulnerable to improper validation of receipts allows forged read receipts2023-09-26
OSV
matrix-synapse vulnerable to improper validation of receipts allows forged read receipts2023-09-26

📋Vendor Advisories

2
Ubuntu
Synapse vulnerabilities2025-04-22
Debian
CVE-2023-42453: matrix-synapse - Synapse is an open-source Matrix homeserver written and maintained by the Matrix...2023
CVE-2023-42453 — Improper Authorization in Synapse | cvebase