Main Vulnerability Database Vulnerabilities #VU23098

Improper Authentication in Synapse - #VU23098

Published: November 29, 2019

Vulnerability identifier: #VU23098

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-287

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Matrix.org

Affected software:
Synapse

Detailed vulnerability description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to the application does not remove local threepids upon user deactivation and allows access for deactivated accounts.The problem resides within the "/synapse/storage/data_stores/main/registration.py" and "/synapse/handlers/deactivate_account.py" scripts.

A remote attacker can bypass authentication and gain unauthorized access to the application.

Remediation

Install updates from vendor's website.

Sources

https://github.com/matrix-org/synapse/releases/tag/v1.6.1

Improper Authentication in Synapse - #VU23098

Detailed vulnerability description

Remediation

Sources

Please verify you're human