CVE-2020-26257
See a problem?- Source
- https://nvd.nist.gov/vuln/detail/CVE-2020-26257
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-26257.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2020-26257
- Aliases
- Related
- Published
- 2020-12-09T19:15:11Z
- Modified
- 2024-09-11T04:37:51.559370Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
Matrix is an ecosystem for open federated Instant Messaging and VoIP. Synapse is a reference "homeserver" implementation of Matrix. A malicious or poorly-implemented homeserver can inject malformed events into a room by specifying a different room id in the path of a
/send_join,/send_leave,/inviteor/exchange_third_party_inviterequest. This can lead to a denial of service in which future events will not be correctly sent to other servers over federation. This affects any server which accepts federation requests from untrusted servers. The Matrix Synapse reference implementation before version 1.23.1 the implementation is vulnerable to this injection attack. Issue is fixed in version 1.23.1. As a workaround homeserver administrators could limit access to the federation API to trusted servers (for example viafederation_domain_whitelist). - References
-
- https://github.com/matrix-org/synapse/security/advisories/GHSA-hxmp-pqch-c8mm
- https://github.com/matrix-org/synapse/commit/3ce2f303f15f6ac3dc352298972dc6e04d9b7a8b
- https://github.com/matrix-org/synapse/pull/8776
- https://github.com/matrix-org/synapse/blob/develop/CHANGES.md#synapse-1231-2020-12-09
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DBTIU3ZNBFWZ56V4X7JIAD33V5H2GOMC/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QR4MMYZKX5N5GYGH4H5LBUUC5TLAFHI7/
- https://security-tracker.debian.org/tracker/CVE-2020-26257
Affected packages
Debian:13 / matrix-synapse
Package
- Name
- matrix-synapse
- Purl
- pkg:deb/debian/matrix-synapse?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.24.0-1
Affected versions
0.*
0.19.2+dfsg-3
0.19.2+dfsg-4
0.19.2+dfsg-5
0.19.2+dfsg-6
0.24.0+dfsg-1
0.27.2+dfsg-1
0.28.0+dfsg-1
0.28.0+dfsg-2
0.28.1+dfsg-1
0.29.1+dfsg-1
0.30.0+dfsg-1
0.31.0+dfsg-1
0.31.0+dfsg-2
0.31.1+dfsg-1
0.31.1+dfsg-2
0.31.2+dfsg-1
0.32.2+dfsg-1
0.33.0+dfsg-1
0.33.1+dfsg-1
0.33.2+dfsg-1
0.33.2+dfsg-2
0.33.2+dfsg-3
0.33.3-1
0.33.3-2
0.33.3.1-1
0.33.4-1~bpo9+1
0.33.4-1
0.33.8-1
0.33.9-2~bpo9+1
0.33.9-2
0.34.0~rc2-1
0.34.0-1
0.34.0-2
0.34.0-3~bpo9+1
0.34.0-3~bpo9+2
0.34.0-3
0.34.1.1-1
0.34.1.1-2~bpo9+1
0.34.1.1-2
0.34.1.1-3~bpo9+1
0.34.1.1-3~bpo9+2
0.34.1.1-3
0.34.1.1-4
0.99.0-1~bpo9+1
0.99.0-1~bpo9+2
0.99.0-1~bpo9+3
0.99.0-1
0.99.1.1-1
0.99.2-1~bpo9+1
0.99.2-1~bpo9+2
0.99.2-1
0.99.2-2
0.99.2-3
0.99.2-4
0.99.2-5~bpo9+1
0.99.2-5
0.99.2-6
0.99.3.2-1
0.99.5.1-1
0.99.5.2-1
1.*
1.0.0-1
1.0.0-2~bpo10+1
1.0.0-2
1.1.0-1
1.2.1-1~bpo10+1
1.2.1-1~bpo10+2
1.2.1-1
1.2.1-2
1.3.0-1~bpo10+1
1.3.0-1
1.4.0~rc1-1
1.4.0-1
1.5.0~rc1-1
1.5.0-1
1.5.1-1~bpo10+1
1.5.1-1
1.6.0-1
1.6.1-1~bpo10+1
1.6.1-1
1.7.0-1
1.7.0-2
1.7.1-1
1.7.2-1~bpo10+1
1.7.2-1
1.7.3-1~bpo10+1
1.7.3-1
1.8.0-1
1.9.0-1~bpo10+1
1.9.0-1
1.9.1-1~bpo10+1
1.9.1-1
1.10.0-1
1.10.0-2
1.11.0-1
1.11.1-1~bpo10+1
1.11.1-1
1.12.0-1~bpo10+1
1.12.0-1
1.12.3-1~bpo10+1
1.12.3-1
1.12.4-1~bpo10+1
1.12.4-1
1.13.0-1~bpo10+1
1.13.0-1
1.15.0-1
1.15.1-1~bpo10+1
1.15.1-1~bpo10+2
1.15.1-1
1.15.2-1
1.16.0-1
1.17.0-1~bpo10+1
1.17.0-1
1.18.0-1~bpo10+1
1.18.0-1
1.19.0-1~bpo10+1
1.19.0-1
1.19.1-1~bpo10+1
1.19.1-1~bpo10+2
1.19.1-1~bpo10+3
1.19.1-1
1.19.2-1
1.19.3-1
1.20.0-1
1.20.1-1~bpo10+1
1.20.1-1
1.21.1-1
1.21.2-1~bpo10+1
1.21.2-1
1.22.1-1~bpo10+1
1.22.1-1
1.22.1-2~bpo10+1
1.22.1-2
1.23.0-1~bpo10+1
1.23.0-1
1.24.0-1~bpo10+1
Git / github.com/matrix-org/synapse
Affected ranges
- Type
- GIT
- Repo
- https://github.com/matrix-org/synapse
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
0.*
0.34.0rc2
1.*
1.7.2
Other
alpha
hhs-1
hhs-2
hhs-3
hhs-4
hhs-5
hhs-6
hhs-7
hhs-8
v0.*
v0.0.0
v0.0.1
v0.1.0
v0.1.1
v0.1.2
v0.10.0
v0.10.0-r1
v0.10.0-r2
v0.10.0-rc1
v0.10.0-rc2
v0.10.0-rc3
v0.10.0-rc4
v0.10.0-rc5
v0.10.0-rc6
v0.10.1-rc1
v0.11.0
v0.11.0-r1
v0.11.0-r2
v0.11.0-rc1
v0.11.0-rc2
v0.11.1
v0.12.0
v0.12.0-rc1
v0.12.0-rc2
v0.12.0-rc3
v0.12.1-rc1
v0.13.0
v0.13.1
v0.13.2
v0.13.3
v0.14.0
v0.14.0-rc1
v0.14.0-rc2
v0.15.0-rc1
v0.16.0
v0.16.0-rc1
v0.16.0-rc2
v0.16.1
v0.16.1-r1
v0.16.1-rc1
v0.17.0
v0.17.0-rc1
v0.17.0-rc2
v0.17.0-rc3
v0.17.0-rc4
v0.17.1
v0.17.1-rc1
v0.17.2
v0.17.2-rc1
v0.17.3
v0.18.0
v0.18.0-rc1
v0.18.1
v0.18.1-rc1
v0.18.2
v0.18.2-rc1
v0.18.2-rc2
v0.18.2-rc3
v0.18.2-rc4
v0.18.2-rc5
v0.18.3
v0.18.4
v0.18.4-rc1
v0.18.5
v0.18.5-rc1
v0.18.5-rc2
v0.18.5-rc3
v0.18.6
v0.18.6-rc1
v0.18.6-rc2
v0.18.6-rc3
v0.18.7
v0.18.7-rc1
v0.18.7-rc2
v0.19.0
v0.19.0-rc1
v0.19.0-rc2
v0.19.0-rc3
v0.19.0-rc4
v0.19.1
v0.19.2
v0.19.3
v0.19.3-rc1
v0.19.3-rc2
v0.2.0
v0.2.1
v0.2.1a
v0.2.2
v0.2.3
v0.20.0
v0.20.0-rc1
v0.21.0
v0.21.0-rc1
v0.21.0-rc2
v0.21.0-rc3
v0.21.1
v0.22.0
v0.22.0-rc1
v0.22.0-rc2
v0.22.1
v0.23.0
v0.23.0-rc1
v0.23.0-rc2
v0.23.1
v0.24.0
v0.24.0-rc1
v0.24.1
v0.25.0
v0.25.0-rc1
v0.25.1
v0.26.0
v0.26.0-rc1
v0.26.1
v0.27.0
v0.27.0-rc1
v0.27.0-rc2
v0.27.1
v0.27.2
v0.27.3
v0.27.3-rc1
v0.27.3-rc2
v0.27.4
v0.28.0
v0.28.0-rc1
v0.28.1
v0.29.0
v0.29.0-rc1
v0.29.1
v0.3.0
v0.3.1
v0.3.2
v0.3.3
v0.3.4
v0.30.0
v0.30.0-rc1
v0.31.0
v0.31.0-rc1
v0.31.1
v0.31.2
v0.32.0
v0.32.0rc1
v0.32.1
v0.32.2
v0.33.0
v0.33.0rc1
v0.33.1
v0.33.2
v0.33.2rc1
v0.33.3
v0.33.3.1
v0.33.3rc1
v0.33.3rc2
v0.33.4
v0.33.4rc1
v0.33.4rc2
v0.33.5
v0.33.5.1
v0.33.5rc1
v0.33.6
v0.33.6rc1
v0.33.7
v0.33.7rc1
v0.33.7rc2
v0.33.8
v0.33.8rc1
v0.33.8rc2
v0.33.9
v0.33.9rc1
v0.34.0
v0.34.0rc1
v0.34.0rc2
v0.34.1
v0.34.1+1
v0.34.1.1
v0.34.1rc1
v0.4.1
v0.4.2
v0.5.0
v0.5.1
v0.5.2
v0.5.3
v0.5.3a
v0.5.3b
v0.5.3c
v0.5.4
v0.5.4a
v0.6.0
v0.6.0a
v0.6.0b
v0.6.1
v0.6.1a
v0.6.1b
v0.6.1c
v0.6.1d
v0.6.1e
v0.6.1f
v0.7.0
v0.7.0a
v0.7.0b
v0.7.0c
v0.7.0d
v0.7.0e
v0.7.0f
v0.7.1
v0.7.1-r1
v0.7.1-r2
v0.7.1-r3
v0.7.1-r4
v0.8.0
v0.8.1
v0.8.1-r1
v0.8.1-r2
v0.8.1-r3
v0.8.1-r4
v0.9.0
v0.9.0-r1
v0.9.0-r2
v0.9.0-r3
v0.9.0-r4
v0.9.0-r5
v0.9.1
v0.9.2
v0.9.2-r1
v0.9.2-r2
v0.9.3
v0.9.3-rc1
v0.99.0
v0.99.0rc1
v0.99.0rc2
v0.99.0rc3
v0.99.0rc4
v0.99.1
v0.99.1.1
v0.99.1rc1
v0.99.1rc2
v0.99.2
v0.99.2rc1
v0.99.3
v0.99.3.1
v0.99.3.2
v0.99.3rc1
v0.99.4
v0.99.4rc1
v0.99.5
v0.99.5.1
v0.99.5.1.dev0
v0.99.5.2
v0.99.5rc1
v1.*
v1.0.0
v1.0.0rc1
v1.0.0rc2
v1.0.0rc3
v1.1.0
v1.1.0rc1
v1.1.0rc2
v1.10.0
v1.10.0rc1
v1.10.0rc2
v1.10.0rc3
v1.10.0rc5
v1.10.1
v1.11.0
v1.11.0rc1
v1.11.1
v1.12.0
v1.12.0rc1
v1.12.1
v1.12.1rc1
v1.12.2
v1.12.3
v1.12.4
v1.12.4rc1
v1.13.0
v1.13.0rc1
v1.13.0rc2
v1.13.0rc3
v1.14.0
v1.14.0rc1
v1.14.0rc2
v1.15.0
v1.15.0rc1
v1.15.1
v1.15.2
v1.16.0
v1.16.0rc1
v1.16.0rc2
v1.16.1
v1.17.0
v1.17.0rc1
v1.18.0
v1.18.0rc1
v1.18.0rc2
v1.19.0
v1.19.0rc1
v1.19.1
v1.19.1rc1
v1.19.2
v1.19.3
v1.2.0
v1.2.0rc1
v1.2.0rc2
v1.2.1
v1.20.0
v1.20.0rc1
v1.20.0rc2
v1.20.0rc3
v1.20.0rc4
v1.20.0rc5
v1.20.1
v1.21.0
v1.21.0rc1
v1.21.0rc2
v1.21.0rc3
v1.21.1
v1.21.2
v1.22.0
v1.22.0rc1
v1.22.0rc2
v1.22.1
v1.23.0
v1.23.0rc1
v1.3.0
v1.3.0rc1
v1.3.1
v1.4.0
v1.4.0rc1
v1.4.0rc2
v1.4.1
v1.4.1rc1
v1.5.0
v1.5.0rc1
v1.5.0rc2
v1.5.1
v1.6.0
v1.6.0rc1
v1.6.0rc2
v1.6.1
v1.7.0
v1.7.0rc1
v1.7.0rc2
v1.7.1
v1.7.2
v1.7.3
v1.8.0
v1.8.0rc1
v1.9.0
v1.9.0.dev1
v1.9.0.dev2
v1.9.0rc1
v1.9.1