CVE-2024-53867

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-53867
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-53867.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-53867
Aliases
Downstream
Related
Published
2024-12-03T16:52:01.596Z
Modified
2025-12-01T19:45:31.482993Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Synapse Matrix has a partial room state leak via Sliding Sync
Details

Synapse is an open-source Matrix homeserver. The Sliding Sync feature on Synapse versions between 1.113.0rc1 and 1.120.0 can leak partial room state changes to users no longer in a room. Non-state events, like messages, are unaffected. This vulnerability is fixed in 1.120.1.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-497"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/53xxx/CVE-2024-53867.json"
}
References

Affected packages

Git / github.com/element-hq/synapse

Affected ranges

Type
GIT
Repo
https://github.com/element-hq/synapse
Events
Introduced
932cb0a92838918fc38c233be3797adf43b8893d
Fixed
fe3d88b833f76742874642c119b14b788341c905
Database specific 
{
    "versions": [
        {
            "introduced": "1.113.0rc1"
        },
        {
            "fixed": "1.120.1"
        }
    ]
}

Affected versions

v1.*

v1.113.0
v1.113.0rc1
v1.114.0
v1.114.0rc1
v1.114.0rc2
v1.114.0rc3
v1.115.0
v1.115.0rc1
v1.115.0rc2
v1.116.0
v1.116.0rc1
v1.116.0rc2
v1.117.0
v1.117.0rc1
v1.118.0
v1.118.0rc1
v1.119.0
v1.119.0rc1
v1.119.0rc2
v1.120.0
v1.120.0rc1