Cleartext storage of sensitive information in Synapse - CVE-2023-41335

 

Cleartext storage of sensitive information in Synapse - CVE-2023-41335

Published: October 4, 2023


Vulnerability identifier: #VU81454
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2023-41335
CWE-ID: CWE-312
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Matrix.org
Affected software:
Synapse

Detailed vulnerability description

The vulnerability allows a user to gain access to sensitive information.

The vulnerability exists due to the way the application handles password change. When users update their passwords, the new credentials may be briefly held in the server database in clear text. A user with access to the database can obtain the password in clear text.


How to mitigate CVE-2023-41335

Install updates from vendor's website.

Sources