CVE-2024-53867Exposure of Sensitive System Information to an Unauthorized Control Sphere in Synapse

CWE-497Exposure of Sensitive System Information to an Unauthorized Control Sphere6 documents5 sources
Severity
4.3MEDIUMNVD
EPSS
0.1%
top 72.97%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Element-hq Synapse
Timeline
PublishedDec 3

Description

Synapse is an open-source Matrix homeserver. The Sliding Sync feature on Synapse versions between 1.113.0rc1 and 1.120.0 can leak partial room state changes to users no longer in a room. Non-state events, like messages, are unaffected. This vulnerability is fixed in 1.120.1.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages1 packages

CVEListV5element-hq/synapse>= 1.113.0rc1, < 1.120.1

🔴Vulnerability Details

4
CVEList
Synapse Matrix has a partial room state leak via Sliding Sync2024-12-03
OSV
CVE-2024-53867: Synapse is an open-source Matrix homeserver2024-12-03
OSV
Synapse Matrix has a partial room state leak via Sliding Sync2024-12-03
GHSA
Synapse Matrix has a partial room state leak via Sliding Sync2024-12-03

📋Vendor Advisories

1
Debian
CVE-2024-53867: matrix-synapse - Synapse is an open-source Matrix homeserver. The Sliding Sync feature on Synapse...2024
CVE-2024-53867 — Element-hq Synapse vulnerability | cvebase