CVE-2019-18835
- Source
- https://cve.org/CVERecord?id=CVE-2019-18835
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-18835.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2019-18835
- Aliases
- Downstream
- Published
- 2019-11-08T00:15:10.413Z
- Modified
- 2026-04-11T20:53:20.523636Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
Matrix Synapse before 1.5.0 mishandles signature checking on some federation APIs. Events sent over /sendjoin, /sendleave, and /invite may not be correctly signed, or may not come from the expected servers.
- References
Affected packages
Git / github.com/matrix-org/synapse
Affected ranges
- Type
- GIT
- Repo
- https://github.com/matrix-org/synapse
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
- Database specific
{ "source": [ "CPE_FIELD", "REFERENCES" ], "extracted_events": [ { "introduced": "0" }, { "fixed": "1.5.0" } ], "cpe": "cpe:2.3:a:matrix:synapse:*:*:*:*:*:*:*:*" }
Affected versions
Other
hhs-1
hhs-2
hhs-3
hhs-5
hhs-6
hhs-7
hhs-8
v0.*
v0.10.0
v0.10.0-r1
v0.10.0-r2
v0.11.0
v0.11.0-r1
v0.11.0-r2
v0.11.1
v0.12.0
v0.13.1
v0.13.2
v0.13.3
v0.14.0
v0.16.0
v0.16.1
v0.16.1-r1
v0.17.0
v0.17.1
v0.17.2
v0.17.3
v0.18.0
v0.18.1
v0.18.2
v0.18.3
v0.18.4
v0.18.5
v0.2.0
v0.2.1
v0.2.1a
v0.2.2
v0.23.0-rc1
v0.23.0-rc2
v0.25.0-rc1
v0.28.0-rc1
v0.3.0
v0.3.3
v0.3.4
v0.32.0
v0.32.0rc1
v0.32.2
v0.4.1
v0.4.2
v0.5.0
v0.5.1
v0.5.2
v0.5.3
v0.5.3a
v0.5.3b
v0.5.3c
v0.5.4
v0.5.4a
v0.6.0
v0.6.0a
v0.6.0b
v0.6.1
v0.6.1a
v0.6.1b
v0.6.1c
v0.6.1d
v0.6.1e
v0.6.1f
v0.7.0
v0.7.0a
v0.7.0b
v0.7.0c
v0.7.0d
v0.7.0e
v0.7.0f
v0.7.1
v0.7.1-r1
v0.7.1-r2
v0.7.1-r3
v0.7.1-r4
v0.8.0
v0.8.1
v0.8.1-r1
v0.8.1-r2
v0.8.1-r3
v0.8.1-r4
v0.9.0
v0.9.0-r1
v0.9.0-r2
v0.9.0-r3
v0.9.0-r4
v0.9.0-r5
v0.9.1
v0.9.2
v0.9.2-r1
v0.9.2-r2
v0.9.3
v0.99.1rc1
v0.99.2rc1
v0.99.4rc1
v0.99.5.1.dev0
v1.*
v1.1.0rc1
v1.1.0rc2
v1.3.0rc1
v1.4.0rc1
v1.5.0rc1
v1.5.0rc2