CVE-2023-43796 Affecting matrix-synapse package, versions <1.95.1-1


Severity

Recommended
0.0
medium
0
10

Snyk's Security Team recommends NVD's CVSS assessment

    Threat Intelligence

    EPSS
    0.11% (45th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-DEBIANUNSTABLE-MATRIXSYNAPSE-6042780
  • published 2 Nov 2023
  • disclosed 31 Oct 2023

How to fix?

Upgrade Debian:unstable matrix-synapse to version 1.95.1-1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream matrix-synapse package and not the matrix-synapse package as distributed by Debian. See How to fix? for Debian:unstable relevant fixed versions and status.

Synapse is an open-source Matrix homeserver Prior to versions 1.95.1 and 1.96.0rc1, cached device information of remote users can be queried from Synapse. This can be used to enumerate the remote users known to a homeserver. System administrators are encouraged to upgrade to Synapse 1.95.1 or 1.96.0rc1 to receive a patch. As a workaround, the federation_domain_whitelist can be used to limit federation traffic with a homeserver.

CVSS Scores

version 3.1
Expand this section

NVD

5.3 medium
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    Low
  • Integrity (I)
    None
  • Availability (A)
    None