Improper access control in Synapse

#VU81455 Improper access control in Synapse

Published: 2023-10-04

Vulnerability identifier: #VU81455

Vulnerability risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-42453

CWE-ID: CWE-284

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Synapse
Server applications / Conferencing, Collaboration and VoIP solutions

Vendor: Matrix.org

Description

The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. A remote user can forge read receipts for any event and mark the events as read for other application users.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Synapse: 0.34.0 - 1.92.3

External links
http://github.com/matrix-org/synapse/security/advisories/GHSA-7565-cq32-vx2x
http://github.com/matrix-org/synapse/pull/16327

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Fedora 37 update for matrix-synapse

Fedora 38 update for matrix-synapse

Fedora 39 update for matrix-synapse

Multiple vulnerabilities in Matrix Synapse