Workflow

PyPi: Matrix-Synapse

CVE-2023-32682

Safety vulnerability ID: 58942

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Jun 06, 2023 Updated at Dec 11, 2024
Scan your Python projects for vulnerabilities →

Advisory

Matrix-synapse 1.85.0 includes a security fix: Improper checks for deactivated users during login.
https://github.com/matrix-org/synapse/security/advisories/GHSA-26c5-ppr8-f33p
https://github.com/matrix-org/synapse/pull/15624
https://github.com/matrix-org/synapse/pull/15634

Affected package

matrix-synapse

Latest version: 1.121.1

Homeserver for the Matrix decentralised comms protocol

Affected versions

Fixed versions

Vulnerability changelog

Synapse is a Matrix protocol homeserver written in Python with the Twisted framework. In affected versions it may be possible for a deactivated user to login when using uncommon configurations. This only applies if any of the following are true: 1. JSON Web Tokens are enabled for login via the `jwt_config.enabled` configuration setting. 2. The local password database is enabled via the `password_config.enabled` and `password_config.localdb_enabled` configuration settings *and* a user's password is updated via an admin API after a user is deactivated. Note that the local password database is enabled by default, but it is uncommon to set a user's password after they've been deactivated. Installations that are configured to only allow login via Single Sign-On (SSO) via CAS, SAML or OpenID Connect (OIDC); or via an external password provider (e.g. LDAP) are not affected. If not using JSON Web Tokens, ensure that deactivated users do not have a password set. This issue has been addressed in version 1.85.0. Users are advised to upgrade. See CVE-2023-32682.


MISC:https://github.com/matrix-org/synapse/pull/15624: https://github.com/matrix-org/synapse/pull/15624
MISC:https://github.com/matrix-org/synapse/pull/15634: https://github.com/matrix-org/synapse/pull/15634
MISC:https://github.com/matrix-org/synapse/security/advisories/GHSA-26c5-ppr8-f33p: https://github.com/matrix-org/synapse/security/advisories/GHSA-26c5-ppr8-f33p
MISC:https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html#create-or-modify-account: https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html#create-or-modify-account
MISC:https://matrix-org.github.io/synapse/latest/jwt.html: https://matrix-org.github.io/synapse/latest/jwt.html
MISC:https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#password_config: https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#password_config

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

MEDIUM 5.4

CVSS v3 Details

MEDIUM 5.4
Attack Vector (AV)
NETWORK
Attack Complexity (AC)
LOW
Privileges Required (PR)
LOW
User Interaction (UI)
NONE
Scope (S)
UNCHANGED
Confidentiality Impact (C)
LOW
Integrity Impact (I)
LOW
Availability Availability (A)
NONE