GHSA-3x4c-pq33-4w3q

Source

https://github.com/advisories/GHSA-3x4c-pq33-4w3q

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-3x4c-pq33-4w3q/GHSA-3x4c-pq33-4w3q.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-3x4c-pq33-4w3q

Aliases

Published

2021-09-01T18:25:27Z

Modified

2024-02-17T05:36:31.148346Z

Severity

3.1 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Improper authorisation of members discloses room membership to non-members

Details

Impact

Unauthorised users can access the membership (list of members, with their display names) of a room if they know the ID of the room. The vulnerability is limited to rooms with shared history visibility. Furthermore, the unauthorised user must be using an account on a vulnerable homeserver that is in the room.

Patches

Server administrators should upgrade to 1.41.1 or later.

Workarounds

Administrators of servers that use a reverse proxy could, with potentially unacceptable loss of functionality, block the following endpoints: * /_matrix/client/r0/rooms/{room_id}/members with at query parameter * /_matrix/client/unstable/rooms/{room_id}/members with at query parameter

References

n/a

For more information

If you have any questions or comments about this advisory, e-mail us at security@matrix.org.

References

Affected packages

PyPI / matrix-synapse

Package

Name: matrix-synapse; View open source insights on deps.dev
Purl: pkg:pypi/matrix-synapse

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.41.1

Affected versions

0.*

0.33.5

0.33.5.1

0.33.6rc1

0.33.6

0.33.7rc1

0.33.7rc2

0.33.7

0.33.8rc2

0.33.8

0.33.9

0.34.0rc1

0.34.0rc2

0.34.0

0.34.0.1

0.34.1.1

0.99.0rc1

0.99.0rc2

0.99.0rc3

0.99.0rc4

0.99.0

0.99.1rc1

0.99.1rc2

0.99.1

0.99.1.1

0.99.2rc1

0.99.2

0.99.3rc1

0.99.3

0.99.3.1

0.99.3.2

0.99.4rc1

0.99.4

0.99.5rc1

0.99.5

0.99.5.1

0.99.5.2

1.*

1.0.0rc1

1.0.0rc2

1.0.0rc3

1.0.0

1.1.0rc1

1.1.0rc2

1.1.0

1.2.0rc1

1.2.0rc2

1.2.0

1.2.1

1.3.0rc1

1.3.0

1.3.1

1.4.0rc1

1.4.0rc2

1.4.0

1.4.1rc1

1.4.1

1.5.0rc1

1.5.0rc2

1.5.0

1.5.1

1.6.0rc1

1.6.0rc2

1.6.0

1.6.1

1.7.0rc1

1.7.0rc2

1.7.0

1.7.1

1.7.2

1.7.3

1.8.0rc1

1.8.0

1.9.0.dev1

1.9.0.dev2

1.9.0rc1

1.9.0

1.9.1

1.10.0rc1

1.10.0rc2

1.10.0rc3

1.10.0rc5

1.10.0

1.10.1

1.11.0rc1

1.11.0

1.11.1

1.12.0rc1

1.12.0

1.12.1rc1

1.12.1

1.12.2

1.12.3

1.12.4rc1

1.12.4

1.13.0rc1

1.13.0rc2

1.13.0rc3

1.13.0

1.14.0rc1

1.14.0rc2

1.14.0

1.15.0rc1

1.15.0

1.15.1

1.15.2

1.16.0rc1

1.16.0rc2

1.16.0

1.16.1

1.17.0rc1

1.17.0

1.18.0rc1

1.18.0rc2

1.18.0

1.19.0rc1

1.19.0

1.19.1rc1

1.19.1

1.19.2

1.19.3

1.20.0rc1

1.20.0rc2

1.20.0rc3

1.20.0rc4

1.20.0rc5

1.20.0

1.20.1

1.21.0rc1

1.21.0rc2

1.21.0rc3

1.21.0

1.21.1

1.21.2

1.22.0rc1

1.22.0rc2

1.22.0

1.22.1

1.23.0rc1

1.23.0

1.23.1

1.24.0rc1

1.24.0rc2

1.24.0

1.25.0rc1

1.25.0

1.26.0rc1

1.26.0rc2

1.26.0

1.27.0rc1

1.27.0rc2

1.27.0

1.28.0rc1

1.28.0

1.29.0rc1

1.29.0

1.30.0rc1

1.30.0

1.30.1

1.31.0rc1

1.31.0

1.32.0rc1

1.32.0

1.32.1

1.32.2

1.33.0rc1

1.33.0rc2

1.33.0

1.33.1

1.33.2

1.34.0rc1

1.34.0

1.35.0rc1

1.35.0rc2

1.35.0rc3

1.35.0

1.35.1

1.36.0rc1

1.36.0rc2

1.36.0

1.37.0rc1

1.37.0

1.37.1rc1

1.37.1

1.38.0rc1

1.38.0rc2

1.38.0rc3

1.38.0

1.38.1

1.39.0rc1

1.39.0rc2

1.39.0rc3

1.39.0

1.40.0rc1

1.40.0rc2

1.40.0rc3

1.40.0

1.41.0rc1

1.41.0