Main Vulnerability Database Vulnerabilities #VU81454

#VU81454 Cleartext storage of sensitive information in Synapse - CVE-2023-41335

Published: October 4, 2023

Vulnerability identifier: #VU81454

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2023-41335

CWE-ID: CWE-312

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Synapse

Software vendor:
Matrix.org

Description

The vulnerability allows a user to gain access to sensitive information.

The vulnerability exists due to the way the application handles password change. When users update their passwords, the new credentials may be briefly held in the server database in clear text. A user with access to the database can obtain the password in clear text.

Remediation

Install updates from vendor's website.

External links

https://github.com/matrix-org/synapse/pull/16272
https://github.com/matrix-org/synapse/security/advisories/GHSA-4f74-84v3-j9q5

#VU81454 Cleartext storage of sensitive information in Synapse - CVE-2023-41335

Description

Remediation

External links

Please verify you're human