GHSA-jrqm-v8cv-53ww
Suggest an improvement- Source
- https://github.com/advisories/GHSA-jrqm-v8cv-53ww
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-jrqm-v8cv-53ww/GHSA-jrqm-v8cv-53ww.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-jrqm-v8cv-53ww
- Aliases
- Published
- 2022-05-13T01:08:16Z
- Modified
- 2024-02-16T05:31:29.191912Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
- Summary
- Matrix Synapse Predictable Secret Key
- Details
-
Matrix Synapse before 0.34.0.1, when the
macaroon_secret_keyauthentication parameter is not set, uses a predictable value to derive a secret key and other secrets which could allow remote attackers to impersonate users. - References
-
- https://nvd.nist.gov/vuln/detail/CVE-2019-5885
- https://github.com/matrix-org/synapse/issues/4664
- https://github.com/matrix-org/synapse/pull/4315
- https://github.com/matrix-org/synapse/pull/4373
- https://github.com/matrix-org/synapse
- https://github.com/matrix-org/synapse/blob/67f9e5293ea6650b2ec284c0b7503f3f3eade94b/docs/changelogs/CHANGES-pre-1.0.md?plain=1#L460
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/32Y6KD3OAHCG5P33HC2QEX3NUZOSXCGZ
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VMCLO5PUPBA756UKY72PKUWL4RRM4W6K
- https://matrix.org/blog/2019/01/10/critical-security-update-synapse-0-34-0-1-synapse-0-34-1-1
- https://matrix.org/blog/2019/01/15/further-details-on-critical-security-update-in-synapse-affecting-all-versions-prior-to-0-34-1-cve-2019-5885
Affected packages
PyPI / matrix-synapse
Package
- Name
- matrix-synapse
- View open source insights on deps.dev
- Purl
- pkg:pypi/matrix-synapse