CVE-2023-43796 — Sensitive Information Exposure in Synapse

CWE-200 — Sensitive Information Exposure CWE-400 — Uncontrolled Resource Consumption9 documents6 sources

Severity

5.3MEDIUMNVD

OSV5.0

EPSS

0.2%

top 53.04%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Matrix-org Synapse Matrix Synapse Fedoraproject Fedora

Timeline

PublishedOct 31

Latest updateSep 12

Description

Synapse is an open-source Matrix homeserver Prior to versions 1.95.1 and 1.96.0rc1, cached device information of remote users can be queried from Synapse. This can be used to enumerate the remote users known to a homeserver. System administrators are encouraged to upgrade to Synapse 1.95.1 or 1.96.0rc1 to receive a patch. As a workaround, the `federation_domain_whitelist` can be used to limit federation traffic with a homeserver.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

▶NVDmatrix/synapse< 1.95.1

▶CVEListV5matrix-org/synapse< 1.95.1

Also affects: Fedora 38, 39

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Liferay Portal: Missing Rate Limiting in GraphQL Endpoint Enables Resource Exhaustion Attack↗2025-09-12

▶

OSV

matrix-synapse vulnerabilities↗2025-04-22

▶

CVEList

Synapse vulnerable to leak of remote user device information↗2023-10-31

▶

GHSA

Synapse vulnerable to leak of remote user device information↗2023-10-31

▶

OSV

Synapse vulnerable to leak of remote user device information↗2023-10-31

▶

📋Vendor Advisories

Ubuntu

Synapse vulnerabilities↗2025-04-22

▶

Debian

CVE-2023-43796: matrix-synapse - Synapse is an open-source Matrix homeserver Prior to versions 1.95.1 and 1.96.0r...↗2023

▶