PYSEC-2019-187

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/matrix-synapse/PYSEC-2019-187.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2019-187

Aliases

CVE-2019-5885
GHSA-jrqm-v8cv-53ww

Published

2019-03-21T16:01:00Z

Modified

2023-11-01T04:51:01.026601Z

Summary

[none]

Details

Matrix Synapse before 0.34.0.1, when the macaroonsecretkey authentication parameter is not set, uses a predictable value to derive a secret key and other secrets which could allow remote attackers to impersonate users.

References

https://matrix.org/blog/2019/01/15/further-details-on-critical-security-update-in-synapse-affecting-all-versions-prior-to-0-34-1-cve-2019-5885/
https://matrix.org/blog/2019/01/10/critical-security-update-synapse-0-34-0-1-synapse-0-34-1-1/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VMCLO5PUPBA756UKY72PKUWL4RRM4W6K/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/32Y6KD3OAHCG5P33HC2QEX3NUZOSXCGZ/

Affected packages

PyPI / matrix-synapse

Package

Name: matrix-synapse; View open source insights on deps.dev
Purl: pkg:pypi/matrix-synapse

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.34.0.1

Affected versions

0.*

0.33.5

0.33.5.1

0.33.6rc1

0.33.6

0.33.7rc1

0.33.7rc2

0.33.7

0.33.8rc2

0.33.8

0.33.9

0.34.0rc1

0.34.0rc2

0.34.0