Information Exposure Affecting matrix-synapse package, versions [,1.95.1)
Threat Intelligence
EPSS
0.13% (48th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-MATRIXSYNAPSE-6041983
- published 1 Nov 2023
- disclosed 31 Oct 2023
- credit Unknown
Introduced: 31 Oct 2023
CVE-2023-43796 Open this link in a new tabHow to fix?
Upgrade matrix-synapse
to version 1.95.1 or higher.
Overview
matrix-synapse is an ecosystem for open federated Instant Messaging and VoIP.
Affected versions of this package are vulnerable to Information Exposure. An attacker can query remote users' device information which can be used to enumerate the remote users known to a homeserver.
Workaround
This vulnerability can be mitigated by using the federation_domain_whitelist
to limit federation traffic with a homeserver.
References
CVSS Scores
version 3.1