Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/54191?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/54191?format=api", "purl": "pkg:pypi/matrix-synapse@0.99.2", "type": "pypi", "namespace": "", "name": "matrix-synapse", "version": "0.99.2", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "1.152.1", "latest_non_vulnerable_version": "1.152.1", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/217742?format=api", "vulnerability_id": "VCID-1dpy-pb4k-p3er", "summary": "An issue was discovered in Matrix Sydent before 1.0.3 and Synapse before 0.99.3.1. Random number generation is mishandled, which makes it easier for attackers to predict a Sydent authentication token or a Synapse random ID.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2019-11842", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00407", "scoring_system": "epss", "scoring_elements": "0.61587", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00407", "scoring_system": "epss", "scoring_elements": "0.6169", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00407", "scoring_system": "epss", "scoring_elements": "0.61698", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00407", "scoring_system": "epss", "scoring_elements": "0.61693", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-11842" }, { "reference_url": "https://github.com/advisories/GHSA-gwf7-vfjf-wf6x", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gwf7-vfjf-wf6x" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2019-185.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2019-185.yaml" }, { "reference_url": "https://matrix.org/blog/2019/05/03/security-updates-sydent-1-0-3-synapse-0-99-3-1-and-riot-android-0-9-0-0-8-99-0-8-28-a", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://matrix.org/blog/2019/05/03/security-updates-sydent-1-0-3-synapse-0-99-3-1-and-riot-android-0-9-0-0-8-99-0-8-28-a" }, { "reference_url": "https://matrix.org/blog/2019/05/03/security-updates-sydent-1-0-3-synapse-0-99-3-1-and-riot-android-0-9-0-0-8-99-0-8-28-a/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://matrix.org/blog/2019/05/03/security-updates-sydent-1-0-3-synapse-0-99-3-1-and-riot-android-0-9-0-0-8-99-0-8-28-a/" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11842", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11842" }, { "reference_url": "https://usn.ubuntu.com/6076-1/", "reference_id": "USN-6076-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/6076-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/54195?format=api", "purl": "pkg:pypi/matrix-synapse@0.99.3.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1xwm-33sy-3qfv" }, { "vulnerability": "VCID-27ht-47d2-77f6" }, { "vulnerability": "VCID-2ctw-4fy5-4ufd" }, { "vulnerability": "VCID-2du1-3n24-rbgx" }, { "vulnerability": "VCID-3ngy-dt6j-tuef" }, { "vulnerability": "VCID-4kph-6snj-huhk" }, { "vulnerability": "VCID-5h97-3s9w-c3ab" }, { "vulnerability": "VCID-6a8s-n8vb-hker" }, { "vulnerability": "VCID-7v7h-zrjj-pkh3" }, { "vulnerability": "VCID-86br-xun2-gudx" }, { "vulnerability": "VCID-8974-zsm2-ybbv" }, { "vulnerability": "VCID-8n5g-1zby-77gj" }, { "vulnerability": "VCID-9uhc-e3bj-nqg7" }, { "vulnerability": "VCID-ahwq-36cc-pqhn" }, { "vulnerability": "VCID-b2u5-56b4-63ae" }, { "vulnerability": "VCID-bkk8-srvr-pqfj" }, { "vulnerability": "VCID-c1vt-9j6a-b7cr" }, { "vulnerability": "VCID-cdnv-apfv-nuf8" }, { "vulnerability": "VCID-cjar-y1hc-4ybu" }, { "vulnerability": "VCID-dux1-nmrm-xqa1" }, { "vulnerability": "VCID-g8ff-1859-ekhm" }, { "vulnerability": "VCID-hjuv-5rpx-hfe3" }, { "vulnerability": "VCID-hqwh-2un3-bqd8" }, { "vulnerability": "VCID-j879-8928-yyh8" }, { "vulnerability": "VCID-n8mv-4upg-hfa3" }, { "vulnerability": "VCID-p9ck-pwqp-qyc7" }, { "vulnerability": "VCID-rcdd-qkxt-nuez" }, { "vulnerability": "VCID-s1jf-x5ug-jqcq" }, { "vulnerability": "VCID-sz98-t7z9-bqea" }, { "vulnerability": "VCID-v2m6-n5w2-wfc5" }, { "vulnerability": "VCID-vns7-ssd1-8bhe" }, { "vulnerability": "VCID-y6j7-eetd-pkfh" }, { "vulnerability": "VCID-ygy4-xzjr-2fdc" }, { "vulnerability": "VCID-yu4n-aq57-67g5" }, { "vulnerability": "VCID-yync-gs3f-nyax" }, { "vulnerability": "VCID-z6uu-5bdh-pud4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@0.99.3.1" } ], "aliases": [ "CVE-2019-11842", "GHSA-gwf7-vfjf-wf6x", "PYSEC-2019-185" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1dpy-pb4k-p3er" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/69798?format=api", "vulnerability_id": "VCID-1xwm-33sy-3qfv", "summary": "Synapse is an open source Matrix homeserver implementation. Prior to 1.152.1, in federated rooms, malicious homeservers can craft room events in such a way that prevents Synapse from providing full history to paginating clients. Clients could therefore fail to display room history. This vulnerability is fixed in 1.152.1.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-45076", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00091", "scoring_system": "epss", "scoring_elements": "0.25975", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00091", "scoring_system": "epss", "scoring_elements": "0.25957", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00091", "scoring_system": "epss", "scoring_elements": "0.25759", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00091", "scoring_system": "epss", "scoring_elements": "0.25959", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-45076" }, { "reference_url": "https://github.com/element-hq/synapse", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/element-hq/synapse" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2026-194.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2026-194.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45076", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45076" }, { "reference_url": "https://github.com/advisories/GHSA-6qf2-7x63-mm6v", "reference_id": "GHSA-6qf2-7x63-mm6v", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6qf2-7x63-mm6v" }, { "reference_url": "https://github.com/element-hq/synapse/security/advisories/GHSA-6qf2-7x63-mm6v", "reference_id": "GHSA-6qf2-7x63-mm6v", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-06-02T14:51:22Z/" } ], "url": "https://github.com/element-hq/synapse/security/advisories/GHSA-6qf2-7x63-mm6v" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/93940?format=api", "purl": "pkg:pypi/matrix-synapse@1.152.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.152.1" } ], "aliases": [ "CVE-2026-45076", "CVE-2026-45076,", "GHSA-6qf2-7x63-mm6v", "PYSEC-2026-194" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1xwm-33sy-3qfv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/167250?format=api", "vulnerability_id": "VCID-27ht-47d2-77f6", "summary": "Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. The Matrix specification specifies a list of [event authorization rules](https://spec.matrix.org/v1.2/rooms/v9/#authorization-rules) which must be checked when determining if an event should be accepted into a room. In versions of Synapse up to and including version 1.61.0, some of these rules are not correctly applied. An attacker could craft events which would be accepted by Synapse but not a spec-conformant server, potentially causing divergence in the room state between servers. Administrators of homeservers with federation enabled are advised to upgrade to version 1.62.0 or higher. Federation can be disabled by setting [`federation_domain_whitelist`](https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#federation_domain_whitelist) to an empty list (`[]`) as a workaround.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-31152", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00731", "scoring_system": "epss", "scoring_elements": "0.73151", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00731", "scoring_system": "epss", "scoring_elements": "0.73241", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00731", "scoring_system": "epss", "scoring_elements": "0.73243", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00731", "scoring_system": "epss", "scoring_elements": "0.73228", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-31152" }, { "reference_url": "https://github.com/matrix-org/synapse", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse" }, { "reference_url": "https://github.com/matrix-org/synapse/commit/d4b1c0d800eaa83c4d56a9cf17881ad362b9194b", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/commit/d4b1c0d800eaa83c4d56a9cf17881ad362b9194b" }, { "reference_url": "https://github.com/matrix-org/synapse/commit/e16ea87d0f8c4c30cad36f85488eb1f647e640b0", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/commit/e16ea87d0f8c4c30cad36f85488eb1f647e640b0" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2022-262.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2022-262.yaml" }, { "reference_url": "https://github.com/matrix-org/synapse/pull/13087", "reference_id": "13087", "reference_type": "", "scores": [ { "value": "6.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:01:29Z/" } ], "url": "https://github.com/matrix-org/synapse/pull/13087" }, { "reference_url": "https://github.com/matrix-org/synapse/pull/13088", "reference_id": "13088", "reference_type": "", "scores": [ { "value": "6.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:01:29Z/" } ], "url": "https://github.com/matrix-org/synapse/pull/13088" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31152", "reference_id": "CVE-2022-31152", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31152" }, { "reference_url": "https://github.com/advisories/GHSA-jhjh-776m-4765", "reference_id": "GHSA-jhjh-776m-4765", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-jhjh-776m-4765" }, { "reference_url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-jhjh-776m-4765", "reference_id": "GHSA-jhjh-776m-4765", "reference_type": "", "scores": [ { "value": "6.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:01:29Z/" } ], "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-jhjh-776m-4765" }, { "reference_url": "https://github.com/matrix-org/synapse/releases/tag/v1.62.0", "reference_id": "v1.62.0", "reference_type": "", "scores": [ { "value": "6.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:01:29Z/" } ], "url": "https://github.com/matrix-org/synapse/releases/tag/v1.62.0" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/26067?format=api", "purl": "pkg:pypi/matrix-synapse@1.62.0rc1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1xwm-33sy-3qfv" }, { "vulnerability": "VCID-27ht-47d2-77f6" }, { "vulnerability": "VCID-2ctw-4fy5-4ufd" }, { "vulnerability": "VCID-3ngy-dt6j-tuef" }, { "vulnerability": "VCID-5h97-3s9w-c3ab" }, { "vulnerability": "VCID-7v7h-zrjj-pkh3" }, { "vulnerability": "VCID-8n5g-1zby-77gj" }, { "vulnerability": "VCID-9uhc-e3bj-nqg7" }, { "vulnerability": "VCID-bkk8-srvr-pqfj" }, { "vulnerability": "VCID-c1vt-9j6a-b7cr" }, { "vulnerability": "VCID-hqwh-2un3-bqd8" }, { "vulnerability": "VCID-n8mv-4upg-hfa3" }, { "vulnerability": "VCID-p9ck-pwqp-qyc7" }, { "vulnerability": "VCID-rcdd-qkxt-nuez" }, { "vulnerability": "VCID-s1jf-x5ug-jqcq" }, { "vulnerability": "VCID-y6j7-eetd-pkfh" }, { "vulnerability": "VCID-yync-gs3f-nyax" }, { "vulnerability": "VCID-z6uu-5bdh-pud4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.62.0rc1" }, { "url": "http://public2.vulnerablecode.io/api/packages/71553?format=api", "purl": "pkg:pypi/matrix-synapse@1.62.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1xwm-33sy-3qfv" }, { "vulnerability": "VCID-2ctw-4fy5-4ufd" }, { "vulnerability": "VCID-3ngy-dt6j-tuef" }, { "vulnerability": "VCID-5h97-3s9w-c3ab" }, { "vulnerability": "VCID-7v7h-zrjj-pkh3" }, { "vulnerability": "VCID-8n5g-1zby-77gj" }, { "vulnerability": "VCID-9uhc-e3bj-nqg7" }, { "vulnerability": "VCID-bkk8-srvr-pqfj" }, { "vulnerability": "VCID-c1vt-9j6a-b7cr" }, { "vulnerability": "VCID-hqwh-2un3-bqd8" }, { "vulnerability": "VCID-n8mv-4upg-hfa3" }, { "vulnerability": "VCID-nhzy-spbw-hucj" }, { "vulnerability": "VCID-p9ck-pwqp-qyc7" }, { "vulnerability": "VCID-rcdd-qkxt-nuez" }, { "vulnerability": "VCID-s1jf-x5ug-jqcq" }, { "vulnerability": "VCID-y6j7-eetd-pkfh" }, { "vulnerability": "VCID-yync-gs3f-nyax" }, { "vulnerability": "VCID-z6uu-5bdh-pud4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.62.0" } ], "aliases": [ "CVE-2022-31152", "GHSA-jhjh-776m-4765", "GMS-2022-3903", "PYSEC-2022-262" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-27ht-47d2-77f6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/43197?format=api", "vulnerability_id": "VCID-2ctw-4fy5-4ufd", "summary": "Synapse is an open-source Matrix homeserver. A remote Matrix user with malicious intent, sharing a room with Synapse instances before 1.105.1, can dispatch specially crafted events to exploit a weakness in the V2 state resolution algorithm. This can induce high CPU consumption and accumulate excessive data in the database of such instances, resulting in a denial of service. Servers in private federations, or those that do not federate, are not affected. Server administrators should upgrade to 1.105.1 or later. Some workarounds are available. One can ban the malicious users or ACL block servers from the rooms and/or leave the room and purge the room using the admin API.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-31208", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0419", "scoring_system": "epss", "scoring_elements": "0.8897", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.0419", "scoring_system": "epss", "scoring_elements": "0.89013", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.0419", "scoring_system": "epss", "scoring_elements": "0.89015", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.0419", "scoring_system": "epss", "scoring_elements": "0.89008", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-31208" }, { "reference_url": "https://github.com/element-hq/synapse", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/element-hq/synapse" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2024-50.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2024-50.yaml" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R6FCCO4ODTZ3FDS7TMW76PKOSEL2TQVB", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R6FCCO4ODTZ3FDS7TMW76PKOSEL2TQVB" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RR53FNHV446CB37TP45GZ6F6HZLZCK3K", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RR53FNHV446CB37TP45GZ6F6HZLZCK3K" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSF4NJJSTSQRJQ47PLYYSCFYKJBP7DET", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSF4NJJSTSQRJQ47PLYYSCFYKJBP7DET" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069763", "reference_id": "1069763", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069763" }, { "reference_url": "https://github.com/element-hq/synapse/commit/55b0aa847a61774b6a3acdc4b177a20dc019f01a", "reference_id": "55b0aa847a61774b6a3acdc4b177a20dc019f01a", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-23T19:13:09Z/" } ], "url": "https://github.com/element-hq/synapse/commit/55b0aa847a61774b6a3acdc4b177a20dc019f01a" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31208", "reference_id": "CVE-2024-31208", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31208" }, { "reference_url": "https://github.com/advisories/GHSA-3h7q-rfh9-xm4v", "reference_id": "GHSA-3h7q-rfh9-xm4v", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3h7q-rfh9-xm4v" }, { "reference_url": "https://github.com/element-hq/synapse/security/advisories/GHSA-3h7q-rfh9-xm4v", "reference_id": "GHSA-3h7q-rfh9-xm4v", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-23T19:13:09Z/" } ], "url": "https://github.com/element-hq/synapse/security/advisories/GHSA-3h7q-rfh9-xm4v" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R6FCCO4ODTZ3FDS7TMW76PKOSEL2TQVB/", "reference_id": "R6FCCO4ODTZ3FDS7TMW76PKOSEL2TQVB", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-23T19:13:09Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R6FCCO4ODTZ3FDS7TMW76PKOSEL2TQVB/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RR53FNHV446CB37TP45GZ6F6HZLZCK3K/", "reference_id": "RR53FNHV446CB37TP45GZ6F6HZLZCK3K", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-23T19:13:09Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RR53FNHV446CB37TP45GZ6F6HZLZCK3K/" }, { "reference_url": "https://usn.ubuntu.com/7444-1/", "reference_id": "USN-7444-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7444-1/" }, { "reference_url": "https://github.com/element-hq/synapse/releases/tag/v1.105.1", "reference_id": "v1.105.1", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-23T19:13:09Z/" } ], "url": "https://github.com/element-hq/synapse/releases/tag/v1.105.1" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSF4NJJSTSQRJQ47PLYYSCFYKJBP7DET/", "reference_id": "VSF4NJJSTSQRJQ47PLYYSCFYKJBP7DET", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-23T19:13:09Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSF4NJJSTSQRJQ47PLYYSCFYKJBP7DET/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/30721?format=api", "purl": "pkg:pypi/matrix-synapse@1.105.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1xwm-33sy-3qfv" }, { "vulnerability": "VCID-3ngy-dt6j-tuef" }, { "vulnerability": "VCID-7v7h-zrjj-pkh3" }, { "vulnerability": "VCID-c1vt-9j6a-b7cr" }, { "vulnerability": "VCID-hqwh-2un3-bqd8" }, { "vulnerability": "VCID-n8mv-4upg-hfa3" }, { "vulnerability": "VCID-rcdd-qkxt-nuez" }, { "vulnerability": "VCID-s1jf-x5ug-jqcq" }, { "vulnerability": "VCID-y6j7-eetd-pkfh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.105.1" } ], "aliases": [ "CVE-2024-31208", "GHSA-3h7q-rfh9-xm4v", "PYSEC-2024-50" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2ctw-4fy5-4ufd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/218106?format=api", "vulnerability_id": "VCID-2du1-3n24-rbgx", "summary": "Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.25.0, requests to user provided domains were not restricted to external IP addresses when calculating the key validity for third-party invite events and sending push notifications. This could cause Synapse to make requests to internal infrastructure. The type of request was not controlled by the user, although limited modification of request bodies was possible. For the most thorough protection server administrators should remove the deprecated `federation_ip_range_blacklist` from their settings after upgrading to Synapse v1.25.0 which will result in Synapse using the improved default IP address restrictions. See the new `ip_range_blacklist` and `ip_range_whitelist` settings if more specific control is necessary.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21273", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00322", "scoring_system": "epss", "scoring_elements": "0.55672", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00322", "scoring_system": "epss", "scoring_elements": "0.55791", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00322", "scoring_system": "epss", "scoring_elements": "0.55807", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00322", "scoring_system": "epss", "scoring_elements": "0.55793", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21273" }, { "reference_url": "https://github.com/matrix-org/synapse", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse" }, { "reference_url": "https://github.com/matrix-org/synapse/commit/30fba6210834a4ecd91badf0c8f3eb278b72e746", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/commit/30fba6210834a4ecd91badf0c8f3eb278b72e746" }, { "reference_url": "https://github.com/matrix-org/synapse/pull/8821", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/pull/8821" }, { "reference_url": "https://github.com/matrix-org/synapse/releases/tag/v1.25.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/releases/tag/v1.25.0" }, { "reference_url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-v936-j8gp-9q3p", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-v936-j8gp-9q3p" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-131.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-131.yaml" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21273", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21273" }, { "reference_url": "https://github.com/advisories/GHSA-v936-j8gp-9q3p", "reference_id": "GHSA-v936-j8gp-9q3p", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-v936-j8gp-9q3p" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/62732?format=api", "purl": "pkg:pypi/matrix-synapse@1.25.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1xwm-33sy-3qfv" }, { "vulnerability": "VCID-27ht-47d2-77f6" }, { "vulnerability": "VCID-2ctw-4fy5-4ufd" }, { "vulnerability": "VCID-3ngy-dt6j-tuef" }, { "vulnerability": "VCID-4kph-6snj-huhk" }, { "vulnerability": "VCID-5h97-3s9w-c3ab" }, { "vulnerability": "VCID-7v7h-zrjj-pkh3" }, { "vulnerability": "VCID-86br-xun2-gudx" }, { "vulnerability": "VCID-8974-zsm2-ybbv" }, { "vulnerability": "VCID-8n5g-1zby-77gj" }, { "vulnerability": "VCID-9uhc-e3bj-nqg7" }, { "vulnerability": "VCID-b2u5-56b4-63ae" }, { "vulnerability": "VCID-bkk8-srvr-pqfj" }, { "vulnerability": "VCID-c1vt-9j6a-b7cr" }, { "vulnerability": "VCID-cjar-y1hc-4ybu" }, { "vulnerability": "VCID-dux1-nmrm-xqa1" }, { "vulnerability": "VCID-g8ff-1859-ekhm" }, { "vulnerability": "VCID-hqwh-2un3-bqd8" }, { "vulnerability": "VCID-j879-8928-yyh8" }, { "vulnerability": "VCID-n8mv-4upg-hfa3" }, { "vulnerability": "VCID-p9ck-pwqp-qyc7" }, { "vulnerability": "VCID-rcdd-qkxt-nuez" }, { "vulnerability": "VCID-s1jf-x5ug-jqcq" }, { "vulnerability": "VCID-sz98-t7z9-bqea" }, { "vulnerability": "VCID-v2m6-n5w2-wfc5" }, { "vulnerability": "VCID-vns7-ssd1-8bhe" }, { "vulnerability": "VCID-y6j7-eetd-pkfh" }, { "vulnerability": "VCID-yu4n-aq57-67g5" }, { "vulnerability": "VCID-yync-gs3f-nyax" }, { "vulnerability": "VCID-z6uu-5bdh-pud4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.25.0" } ], "aliases": [ "CVE-2021-21273", "GHSA-v936-j8gp-9q3p", "PYSEC-2021-131" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2du1-3n24-rbgx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/90078?format=api", "vulnerability_id": "VCID-3ngy-dt6j-tuef", "summary": "Synapse is an open source Matrix homeserver implementation. A malicious server can craft events which, when received, prevent Synapse version up to 1.127.0 from federating with other servers. The vulnerability has been exploited in the wild and has been fixed in Synapse v1.127.1. No known workarounds are available.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-30355", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.13201", "scoring_system": "epss", "scoring_elements": "0.94296", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.13201", "scoring_system": "epss", "scoring_elements": "0.94323", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.13201", "scoring_system": "epss", "scoring_elements": "0.94317", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.13201", "scoring_system": "epss", "scoring_elements": "0.94321", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-30355" }, { "reference_url": "https://github.com/element-hq/synapse", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/element-hq/synapse" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30355", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30355" }, { "reference_url": "https://github.com/element-hq/synapse/commit/2277df2a1eb685f85040ef98fa21d41aa4cdd389", "reference_id": "2277df2a1eb685f85040ef98fa21d41aa4cdd389", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-27T13:47:41Z/" } ], "url": "https://github.com/element-hq/synapse/commit/2277df2a1eb685f85040ef98fa21d41aa4cdd389" }, { "reference_url": "https://github.com/advisories/GHSA-v56r-hwv5-mxg6", "reference_id": "GHSA-v56r-hwv5-mxg6", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-v56r-hwv5-mxg6" }, { "reference_url": "https://github.com/element-hq/synapse/security/advisories/GHSA-v56r-hwv5-mxg6", "reference_id": "GHSA-v56r-hwv5-mxg6", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-27T13:47:41Z/" } ], "url": "https://github.com/element-hq/synapse/security/advisories/GHSA-v56r-hwv5-mxg6" }, { "reference_url": "https://github.com/element-hq/synapse/releases/tag/v1.127.1", "reference_id": "v1.127.1", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-27T13:47:41Z/" } ], "url": "https://github.com/element-hq/synapse/releases/tag/v1.127.1" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/93875?format=api", "purl": "pkg:pypi/matrix-synapse@1.127.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1xwm-33sy-3qfv" }, { "vulnerability": "VCID-n8mv-4upg-hfa3" }, { "vulnerability": "VCID-y6j7-eetd-pkfh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.127.1" } ], "aliases": [ "CVE-2025-30355", "GHSA-v56r-hwv5-mxg6" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3ngy-dt6j-tuef" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/218124?format=api", "vulnerability_id": "VCID-4kph-6snj-huhk", "summary": "Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identifiers could cause excessive use of disk space and memory leading to resource exhaustion. Note that the groups feature is not part of the Matrix specification and the chosen maximum lengths are arbitrary. Not all clients might abide by them. Refer to referenced GitHub security advisory for additional details including workarounds.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21394", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00519", "scoring_system": "epss", "scoring_elements": "0.67205", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00519", "scoring_system": "epss", "scoring_elements": "0.67297", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00519", "scoring_system": "epss", "scoring_elements": "0.67311", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21394" }, { "reference_url": "https://github.com/matrix-org/synapse", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse" }, { "reference_url": "https://github.com/matrix-org/synapse/pull/9321", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/pull/9321" }, { "reference_url": "https://github.com/matrix-org/synapse/pull/9393", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/pull/9393" }, { "reference_url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-w9fg-xffh-p362", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-w9fg-xffh-p362" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-27.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-27.yaml" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21394", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21394" }, { "reference_url": "https://pypi.org/project/matrix-synapse", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://pypi.org/project/matrix-synapse" }, { "reference_url": "https://pypi.org/project/matrix-synapse/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://pypi.org/project/matrix-synapse/" }, { "reference_url": "https://github.com/advisories/GHSA-w9fg-xffh-p362", "reference_id": "GHSA-w9fg-xffh-p362", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-w9fg-xffh-p362" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/64060?format=api", "purl": "pkg:pypi/matrix-synapse@1.28.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1xwm-33sy-3qfv" }, { "vulnerability": "VCID-27ht-47d2-77f6" }, { "vulnerability": "VCID-2ctw-4fy5-4ufd" }, { "vulnerability": "VCID-3ngy-dt6j-tuef" }, { "vulnerability": "VCID-5h97-3s9w-c3ab" }, { "vulnerability": "VCID-7v7h-zrjj-pkh3" }, { "vulnerability": "VCID-86br-xun2-gudx" }, { "vulnerability": "VCID-8974-zsm2-ybbv" }, { "vulnerability": "VCID-8n5g-1zby-77gj" }, { "vulnerability": "VCID-9uhc-e3bj-nqg7" }, { "vulnerability": "VCID-b2u5-56b4-63ae" }, { "vulnerability": "VCID-bkk8-srvr-pqfj" }, { "vulnerability": "VCID-c1vt-9j6a-b7cr" }, { "vulnerability": "VCID-dux1-nmrm-xqa1" }, { "vulnerability": "VCID-g8ff-1859-ekhm" }, { "vulnerability": "VCID-hqwh-2un3-bqd8" }, { "vulnerability": "VCID-n8mv-4upg-hfa3" }, { "vulnerability": "VCID-p9ck-pwqp-qyc7" }, { "vulnerability": "VCID-rcdd-qkxt-nuez" }, { "vulnerability": "VCID-s1jf-x5ug-jqcq" }, { "vulnerability": "VCID-sz98-t7z9-bqea" }, { "vulnerability": "VCID-vns7-ssd1-8bhe" }, { "vulnerability": "VCID-y6j7-eetd-pkfh" }, { "vulnerability": "VCID-yync-gs3f-nyax" }, { "vulnerability": "VCID-z6uu-5bdh-pud4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.28.0" } ], "aliases": [ "CVE-2021-21394", "GHSA-w9fg-xffh-p362", "PYSEC-2021-27" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4kph-6snj-huhk" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/135527?format=api", "vulnerability_id": "VCID-5h97-3s9w-c3ab", "summary": "Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. Users were able to forge read receipts for any event (if they knew the room ID and event ID). Note that the users were not able to view the events, but simply mark it as read. This could be confusing as clients will show the event as read by the user, even if they are not in the room. This issue has been patched in version 1.93.0. Users are advised to upgrade. There are no known workarounds for this issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-42453", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00132", "scoring_system": "epss", "scoring_elements": "0.32334", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00132", "scoring_system": "epss", "scoring_elements": "0.32515", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00132", "scoring_system": "epss", "scoring_elements": "0.32513", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00132", "scoring_system": "epss", "scoring_elements": "0.32535", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-42453" }, { "reference_url": "https://github.com/matrix-org/synapse", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse" }, { "reference_url": "https://github.com/matrix-org/synapse/commit/63d28a88c1d18c64ea7e23b6dd7483e6d5dcf881", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/commit/63d28a88c1d18c64ea7e23b6dd7483e6d5dcf881" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2023-180.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2023-180.yaml" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AFB2Y3S2VCPCN5P2XCZTG24MBMZ7DM4", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AFB2Y3S2VCPCN5P2XCZTG24MBMZ7DM4" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/65QPC55I4D27HIZP7H2NQ34EOXHPP4AO", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/65QPC55I4D27HIZP7H2NQ34EOXHPP4AO" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N6P4QULVUE254WI7XF2LWWOGHCYVFXFY", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N6P4QULVUE254WI7XF2LWWOGHCYVFXFY" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42453", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42453" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053283", "reference_id": "1053283", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053283" }, { "reference_url": "https://github.com/matrix-org/synapse/pull/16327", "reference_id": "16327", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-09T16:28:42Z/" } ], "url": "https://github.com/matrix-org/synapse/pull/16327" }, { "reference_url": "https://security.gentoo.org/glsa/202401-12", "reference_id": "202401-12", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-09T16:28:42Z/" } ], "url": "https://security.gentoo.org/glsa/202401-12" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AFB2Y3S2VCPCN5P2XCZTG24MBMZ7DM4/", "reference_id": "2AFB2Y3S2VCPCN5P2XCZTG24MBMZ7DM4", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-09T16:28:42Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AFB2Y3S2VCPCN5P2XCZTG24MBMZ7DM4/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/65QPC55I4D27HIZP7H2NQ34EOXHPP4AO/", "reference_id": "65QPC55I4D27HIZP7H2NQ34EOXHPP4AO", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-09T16:28:42Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/65QPC55I4D27HIZP7H2NQ34EOXHPP4AO/" }, { "reference_url": "https://github.com/advisories/GHSA-7565-cq32-vx2x", "reference_id": "GHSA-7565-cq32-vx2x", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7565-cq32-vx2x" }, { "reference_url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-7565-cq32-vx2x", "reference_id": "GHSA-7565-cq32-vx2x", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-09T16:28:42Z/" } ], "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-7565-cq32-vx2x" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N6P4QULVUE254WI7XF2LWWOGHCYVFXFY/", "reference_id": "N6P4QULVUE254WI7XF2LWWOGHCYVFXFY", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-09T16:28:42Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N6P4QULVUE254WI7XF2LWWOGHCYVFXFY/" }, { "reference_url": "https://usn.ubuntu.com/7444-1/", "reference_id": "USN-7444-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7444-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/78535?format=api", "purl": "pkg:pypi/matrix-synapse@1.93.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1xwm-33sy-3qfv" }, { "vulnerability": "VCID-2ctw-4fy5-4ufd" }, { "vulnerability": "VCID-3ngy-dt6j-tuef" }, { "vulnerability": "VCID-7v7h-zrjj-pkh3" }, { "vulnerability": "VCID-c1vt-9j6a-b7cr" }, { "vulnerability": "VCID-hqwh-2un3-bqd8" }, { "vulnerability": "VCID-n8mv-4upg-hfa3" }, { "vulnerability": "VCID-rcdd-qkxt-nuez" }, { "vulnerability": "VCID-s1jf-x5ug-jqcq" }, { "vulnerability": "VCID-y6j7-eetd-pkfh" }, { "vulnerability": "VCID-yync-gs3f-nyax" }, { "vulnerability": "VCID-z6uu-5bdh-pud4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.93.0" } ], "aliases": [ "CVE-2023-42453", "GHSA-7565-cq32-vx2x", "PYSEC-2023-180" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5h97-3s9w-c3ab" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/197715?format=api", "vulnerability_id": "VCID-6a8s-n8vb-hker", "summary": "denial of service", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-26257", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0045", "scoring_system": "epss", "scoring_elements": "0.64075", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.0045", "scoring_system": "epss", "scoring_elements": "0.64189", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.0045", "scoring_system": "epss", "scoring_elements": "0.64192", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.0045", "scoring_system": "epss", "scoring_elements": "0.64178", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-26257" }, { "reference_url": "https://github.com/matrix-org/synapse/blob/develop/CHANGES.md#synapse-1231-2020-12-09", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/blob/develop/CHANGES.md#synapse-1231-2020-12-09" }, { "reference_url": "https://github.com/matrix-org/synapse/commit/3ce2f303f15f6ac3dc352298972dc6e04d9b7a8b", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/commit/3ce2f303f15f6ac3dc352298972dc6e04d9b7a8b" }, { "reference_url": "https://github.com/matrix-org/synapse/pull/8776", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/pull/8776" }, { "reference_url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-hxmp-pqch-c8mm", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-hxmp-pqch-c8mm" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2020-236.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2020-236.yaml" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DBTIU3ZNBFWZ56V4X7JIAD33V5H2GOMC", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DBTIU3ZNBFWZ56V4X7JIAD33V5H2GOMC" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DBTIU3ZNBFWZ56V4X7JIAD33V5H2GOMC/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DBTIU3ZNBFWZ56V4X7JIAD33V5H2GOMC/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QR4MMYZKX5N5GYGH4H5LBUUC5TLAFHI7", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QR4MMYZKX5N5GYGH4H5LBUUC5TLAFHI7" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QR4MMYZKX5N5GYGH4H5LBUUC5TLAFHI7/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QR4MMYZKX5N5GYGH4H5LBUUC5TLAFHI7/" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26257", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26257" }, { "reference_url": "https://security.archlinux.org/AVG-1341", "reference_id": "AVG-1341", "reference_type": "", "scores": [ { "value": "Medium", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-1341" }, { "reference_url": "https://github.com/advisories/GHSA-hxmp-pqch-c8mm", "reference_id": "GHSA-hxmp-pqch-c8mm", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-hxmp-pqch-c8mm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/61796?format=api", "purl": "pkg:pypi/matrix-synapse@1.23.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1xwm-33sy-3qfv" }, { "vulnerability": "VCID-27ht-47d2-77f6" }, { "vulnerability": "VCID-2ctw-4fy5-4ufd" }, { "vulnerability": "VCID-2du1-3n24-rbgx" }, { "vulnerability": "VCID-3ngy-dt6j-tuef" }, { "vulnerability": "VCID-4kph-6snj-huhk" }, { "vulnerability": "VCID-5h97-3s9w-c3ab" }, { "vulnerability": "VCID-7v7h-zrjj-pkh3" }, { "vulnerability": "VCID-86br-xun2-gudx" }, { "vulnerability": "VCID-8974-zsm2-ybbv" }, { "vulnerability": "VCID-8n5g-1zby-77gj" }, { "vulnerability": "VCID-9uhc-e3bj-nqg7" }, { "vulnerability": "VCID-ahwq-36cc-pqhn" }, { "vulnerability": "VCID-b2u5-56b4-63ae" }, { "vulnerability": "VCID-bkk8-srvr-pqfj" }, { "vulnerability": "VCID-c1vt-9j6a-b7cr" }, { "vulnerability": "VCID-cjar-y1hc-4ybu" }, { "vulnerability": "VCID-dux1-nmrm-xqa1" }, { "vulnerability": "VCID-g8ff-1859-ekhm" }, { "vulnerability": "VCID-hqwh-2un3-bqd8" }, { "vulnerability": "VCID-j879-8928-yyh8" }, { "vulnerability": "VCID-n8mv-4upg-hfa3" }, { "vulnerability": "VCID-p9ck-pwqp-qyc7" }, { "vulnerability": "VCID-rcdd-qkxt-nuez" }, { "vulnerability": "VCID-s1jf-x5ug-jqcq" }, { "vulnerability": "VCID-sz98-t7z9-bqea" }, { "vulnerability": "VCID-v2m6-n5w2-wfc5" }, { "vulnerability": "VCID-vns7-ssd1-8bhe" }, { "vulnerability": "VCID-y6j7-eetd-pkfh" }, { "vulnerability": "VCID-yu4n-aq57-67g5" }, { "vulnerability": "VCID-yync-gs3f-nyax" }, { "vulnerability": "VCID-z6uu-5bdh-pud4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.23.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/62728?format=api", "purl": "pkg:pypi/matrix-synapse@1.24.0rc1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1xwm-33sy-3qfv" }, { "vulnerability": "VCID-27ht-47d2-77f6" }, { "vulnerability": "VCID-2ctw-4fy5-4ufd" }, { "vulnerability": "VCID-2du1-3n24-rbgx" }, { "vulnerability": "VCID-3ngy-dt6j-tuef" }, { "vulnerability": "VCID-4kph-6snj-huhk" }, { "vulnerability": "VCID-5h97-3s9w-c3ab" }, { "vulnerability": "VCID-7v7h-zrjj-pkh3" }, { "vulnerability": "VCID-86br-xun2-gudx" }, { "vulnerability": "VCID-8974-zsm2-ybbv" }, { "vulnerability": "VCID-8n5g-1zby-77gj" }, { "vulnerability": "VCID-9uhc-e3bj-nqg7" }, { "vulnerability": "VCID-ahwq-36cc-pqhn" }, { "vulnerability": "VCID-b2u5-56b4-63ae" }, { "vulnerability": "VCID-bkk8-srvr-pqfj" }, { "vulnerability": "VCID-c1vt-9j6a-b7cr" }, { "vulnerability": "VCID-cjar-y1hc-4ybu" }, { "vulnerability": "VCID-dux1-nmrm-xqa1" }, { "vulnerability": "VCID-g8ff-1859-ekhm" }, { "vulnerability": "VCID-hqwh-2un3-bqd8" }, { "vulnerability": "VCID-j879-8928-yyh8" }, { "vulnerability": "VCID-n8mv-4upg-hfa3" }, { "vulnerability": "VCID-p9ck-pwqp-qyc7" }, { "vulnerability": "VCID-rcdd-qkxt-nuez" }, { "vulnerability": "VCID-s1jf-x5ug-jqcq" }, { "vulnerability": "VCID-sz98-t7z9-bqea" }, { "vulnerability": "VCID-v2m6-n5w2-wfc5" }, { "vulnerability": "VCID-vns7-ssd1-8bhe" }, { "vulnerability": "VCID-y6j7-eetd-pkfh" }, { "vulnerability": "VCID-yu4n-aq57-67g5" }, { "vulnerability": "VCID-yync-gs3f-nyax" }, { "vulnerability": "VCID-z6uu-5bdh-pud4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.24.0rc1" } ], "aliases": [ "CVE-2020-26257", "GHSA-hxmp-pqch-c8mm", "PYSEC-2020-236" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6a8s-n8vb-hker" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/45042?format=api", "vulnerability_id": "VCID-7v7h-zrjj-pkh3", "summary": "Synapse is an open-source Matrix homeserver. Synapse versions before 1.106 are vulnerable to a disk fill attack, where an unauthenticated adversary can induce Synapse to download and cache large amounts of remote media. The default rate limit strategy is insufficient to mitigate this. This can lead to a denial of service, ranging from further media uploads/downloads failing to completely unavailability of the Synapse process, depending on how Synapse was deployed. Synapse 1.106 introduces a new \"leaky bucket\" rate limit on remote media downloads to reduce the amount of data a user can request at a time. This does not fully address the issue, but does limit an unauthenticated user's ability to request large amounts of data to be cached.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-37302", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00568", "scoring_system": "epss", "scoring_elements": "0.69089", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00568", "scoring_system": "epss", "scoring_elements": "0.69096", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00568", "scoring_system": "epss", "scoring_elements": "0.68997", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00568", "scoring_system": "epss", "scoring_elements": "0.69101", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-37302" }, { "reference_url": "https://github.com/element-hq/synapse", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/element-hq/synapse" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2024-286.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2024-286.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37302", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37302" }, { "reference_url": "https://github.com/advisories/GHSA-4mhg-xv73-xq2x", "reference_id": "GHSA-4mhg-xv73-xq2x", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4mhg-xv73-xq2x" }, { "reference_url": "https://github.com/element-hq/synapse/security/advisories/GHSA-4mhg-xv73-xq2x", "reference_id": "GHSA-4mhg-xv73-xq2x", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-12-03T18:55:21Z/" } ], "url": "https://github.com/element-hq/synapse/security/advisories/GHSA-4mhg-xv73-xq2x" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/86739?format=api", "purl": "pkg:pypi/matrix-synapse@1.106.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1xwm-33sy-3qfv" }, { "vulnerability": "VCID-3ngy-dt6j-tuef" }, { "vulnerability": "VCID-hqwh-2un3-bqd8" }, { "vulnerability": "VCID-n8mv-4upg-hfa3" }, { "vulnerability": "VCID-rcdd-qkxt-nuez" }, { "vulnerability": "VCID-s1jf-x5ug-jqcq" }, { "vulnerability": "VCID-y6j7-eetd-pkfh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.106.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/372289?format=api", "purl": "pkg:pypi/matrix-synapse@1.106", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.106" } ], "aliases": [ "CVE-2024-37302", "GHSA-4mhg-xv73-xq2x", "PYSEC-2024-286" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7v7h-zrjj-pkh3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/197648?format=api", "vulnerability_id": "VCID-86br-xun2-gudx", "summary": "denial of service", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-29471", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00337", "scoring_system": "epss", "scoring_elements": "0.56902", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00337", "scoring_system": "epss", "scoring_elements": "0.5703", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00337", "scoring_system": "epss", "scoring_elements": "0.57037", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00337", "scoring_system": "epss", "scoring_elements": "0.57023", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-29471" }, { "reference_url": "https://github.com/matrix-org/synapse", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse" }, { "reference_url": "https://github.com/matrix-org/synapse/commit/03318a766cac9f8b053db2214d9c332a977d226c", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/commit/03318a766cac9f8b053db2214d9c332a977d226c" }, { "reference_url": "https://github.com/matrix-org/synapse/releases/tag/v1.33.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/releases/tag/v1.33.2" }, { "reference_url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-x345-32rc-8h85", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-x345-32rc-8h85" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-135.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-135.yaml" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29471", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29471" }, { "reference_url": "https://security.archlinux.org/ASA-202105-19", "reference_id": "ASA-202105-19", "reference_type": "", "scores": [], "url": "https://security.archlinux.org/ASA-202105-19" }, { "reference_url": "https://security.archlinux.org/AVG-1943", "reference_id": "AVG-1943", "reference_type": "", "scores": [ { "value": "Medium", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-1943" }, { "reference_url": "https://github.com/advisories/GHSA-x345-32rc-8h85", "reference_id": "GHSA-x345-32rc-8h85", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-x345-32rc-8h85" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/64442?format=api", "purl": "pkg:pypi/matrix-synapse@1.33.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1xwm-33sy-3qfv" }, { "vulnerability": "VCID-27ht-47d2-77f6" }, { "vulnerability": "VCID-2ctw-4fy5-4ufd" }, { "vulnerability": "VCID-3ngy-dt6j-tuef" }, { "vulnerability": "VCID-5h97-3s9w-c3ab" }, { "vulnerability": "VCID-7v7h-zrjj-pkh3" }, { "vulnerability": "VCID-8n5g-1zby-77gj" }, { "vulnerability": "VCID-9uhc-e3bj-nqg7" }, { "vulnerability": "VCID-b2u5-56b4-63ae" }, { "vulnerability": "VCID-bkk8-srvr-pqfj" }, { "vulnerability": "VCID-c1vt-9j6a-b7cr" }, { "vulnerability": "VCID-dux1-nmrm-xqa1" }, { "vulnerability": "VCID-g8ff-1859-ekhm" }, { "vulnerability": "VCID-hqwh-2un3-bqd8" }, { "vulnerability": "VCID-n8mv-4upg-hfa3" }, { "vulnerability": "VCID-p9ck-pwqp-qyc7" }, { "vulnerability": "VCID-rcdd-qkxt-nuez" }, { "vulnerability": "VCID-s1jf-x5ug-jqcq" }, { "vulnerability": "VCID-sz98-t7z9-bqea" }, { "vulnerability": "VCID-vns7-ssd1-8bhe" }, { "vulnerability": "VCID-y6j7-eetd-pkfh" }, { "vulnerability": "VCID-yync-gs3f-nyax" }, { "vulnerability": "VCID-z6uu-5bdh-pud4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.33.2" } ], "aliases": [ "CVE-2021-29471", "GHSA-x345-32rc-8h85", "PYSEC-2021-135" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-86br-xun2-gudx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/361309?format=api", "vulnerability_id": "VCID-8974-zsm2-ybbv", "summary": "Denial of service (via resource exhaustion) due to improper input validation in third-party identifier endpoint\n### Impact\nMissing input validation of some parameters on the endpoints used to confirm third-party identifiers could cause excessive use of disk space and memory leading to resource exhaustion.\n\n### Patches\nThe issue is fixed by https://github.com/matrix-org/synapse/pull/9855.\n\n### Workarounds\nThere are no known workarounds.\n\n### References\nn/a\n\n### For more information\nIf you have any questions or comments about this advisory, email us at security@matrix.org.", "references": [ { "reference_url": "https://github.com/matrix-org/synapse/pull/9855", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/pull/9855" }, { "reference_url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-7h5v-85w9-pq6c", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-7h5v-85w9-pq6c" }, { "reference_url": "https://github.com/advisories/GHSA-7h5v-85w9-pq6c", "reference_id": "GHSA-7h5v-85w9-pq6c", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7h5v-85w9-pq6c" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/64440?format=api", "purl": "pkg:pypi/matrix-synapse@1.33.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1xwm-33sy-3qfv" }, { "vulnerability": "VCID-27ht-47d2-77f6" }, { "vulnerability": "VCID-2ctw-4fy5-4ufd" }, { "vulnerability": "VCID-3ngy-dt6j-tuef" }, { "vulnerability": "VCID-5h97-3s9w-c3ab" }, { "vulnerability": "VCID-7v7h-zrjj-pkh3" }, { "vulnerability": "VCID-86br-xun2-gudx" }, { "vulnerability": "VCID-8n5g-1zby-77gj" }, { "vulnerability": "VCID-9uhc-e3bj-nqg7" }, { "vulnerability": "VCID-b2u5-56b4-63ae" }, { "vulnerability": "VCID-bkk8-srvr-pqfj" }, { "vulnerability": "VCID-c1vt-9j6a-b7cr" }, { "vulnerability": "VCID-dux1-nmrm-xqa1" }, { "vulnerability": "VCID-g8ff-1859-ekhm" }, { "vulnerability": "VCID-hqwh-2un3-bqd8" }, { "vulnerability": "VCID-n8mv-4upg-hfa3" }, { "vulnerability": "VCID-p9ck-pwqp-qyc7" }, { "vulnerability": "VCID-rcdd-qkxt-nuez" }, { "vulnerability": "VCID-s1jf-x5ug-jqcq" }, { "vulnerability": "VCID-sz98-t7z9-bqea" }, { "vulnerability": "VCID-vns7-ssd1-8bhe" }, { "vulnerability": "VCID-y6j7-eetd-pkfh" }, { "vulnerability": "VCID-yync-gs3f-nyax" }, { "vulnerability": "VCID-z6uu-5bdh-pud4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.33.0" } ], "aliases": [ "GHSA-7h5v-85w9-pq6c", "GMS-2021-169" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8974-zsm2-ybbv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/143452?format=api", "vulnerability_id": "VCID-8n5g-1zby-77gj", "summary": "Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. A malicious user on a Synapse homeserver X with permission to create certain state events can disable outbound federation from X to an arbitrary homeserver Y. Synapse instances with federation disabled are not affected. In versions of Synapse up to and including 1.73, Synapse did not limit the size of `invite_room_state`, meaning that it was possible to create an arbitrarily large invite event. Synapse 1.74 refuses to create oversized `invite_room_state` fields. Server operators should upgrade to Synapse 1.74 or newer urgently.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-32323", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00142", "scoring_system": "epss", "scoring_elements": "0.34178", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00142", "scoring_system": "epss", "scoring_elements": "0.34356", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00165", "scoring_system": "epss", "scoring_elements": "0.37563", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00165", "scoring_system": "epss", "scoring_elements": "0.3755", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-32323" }, { "reference_url": "https://github.com/matrix-org/synapse", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2023-67.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2023-67.yaml" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJIJRP5ZH6B3KGFLHCAKR2IX2Y4Z25QD", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJIJRP5ZH6B3KGFLHCAKR2IX2Y4Z25QD" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32323", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32323" }, { "reference_url": "https://github.com/matrix-org/synapse/issues/14492", "reference_id": "14492", "reference_type": "", "scores": [ { "value": "5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L" }, { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T20:00:17Z/" } ], "url": "https://github.com/matrix-org/synapse/issues/14492" }, { "reference_url": "https://github.com/matrix-org/synapse/pull/14642", "reference_id": "14642", "reference_type": "", "scores": [ { "value": "5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L" }, { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T20:00:17Z/" } ], "url": "https://github.com/matrix-org/synapse/pull/14642" }, { "reference_url": "https://github.com/advisories/GHSA-f3wc-3vxv-xmvr", "reference_id": "GHSA-f3wc-3vxv-xmvr", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-f3wc-3vxv-xmvr" }, { "reference_url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-f3wc-3vxv-xmvr", "reference_id": "GHSA-f3wc-3vxv-xmvr", "reference_type": "", "scores": [ { "value": "5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L" }, { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T20:00:17Z/" } ], "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-f3wc-3vxv-xmvr" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJIJRP5ZH6B3KGFLHCAKR2IX2Y4Z25QD/", "reference_id": "UJIJRP5ZH6B3KGFLHCAKR2IX2Y4Z25QD", "reference_type": "", "scores": [ { "value": "5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T20:00:17Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJIJRP5ZH6B3KGFLHCAKR2IX2Y4Z25QD/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/76181?format=api", "purl": "pkg:pypi/matrix-synapse@1.74.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1xwm-33sy-3qfv" }, { "vulnerability": "VCID-2ctw-4fy5-4ufd" }, { "vulnerability": "VCID-3ngy-dt6j-tuef" }, { "vulnerability": "VCID-5h97-3s9w-c3ab" }, { "vulnerability": "VCID-7v7h-zrjj-pkh3" }, { "vulnerability": "VCID-bkk8-srvr-pqfj" }, { "vulnerability": "VCID-c1vt-9j6a-b7cr" }, { "vulnerability": "VCID-hqwh-2un3-bqd8" }, { "vulnerability": "VCID-husr-u735-97hh" }, { "vulnerability": "VCID-n8mv-4upg-hfa3" }, { "vulnerability": "VCID-p9ck-pwqp-qyc7" }, { "vulnerability": "VCID-rcdd-qkxt-nuez" }, { "vulnerability": "VCID-s1jf-x5ug-jqcq" }, { "vulnerability": "VCID-y6j7-eetd-pkfh" }, { "vulnerability": "VCID-yync-gs3f-nyax" }, { "vulnerability": "VCID-z6uu-5bdh-pud4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.74.0" } ], "aliases": [ "CVE-2023-32323", "GHSA-f3wc-3vxv-xmvr", "PYSEC-2023-67" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8n5g-1zby-77gj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/168187?format=api", "vulnerability_id": "VCID-9uhc-e3bj-nqg7", "summary": "Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. The Matrix Federation API allows remote homeservers to request the authorization events in a room. This is necessary so that a homeserver receiving some events can validate that those events are legitimate and permitted in their room. However, in versions of Synapse up to and including 1.68.0, a Synapse homeserver answering a query for authorization events does not sufficiently check that the requesting server should be able to access them. The issue was patched in Synapse 1.69.0. Homeserver administrators are advised to upgrade.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-39335", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00138", "scoring_system": "epss", "scoring_elements": "0.33519", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00138", "scoring_system": "epss", "scoring_elements": "0.33699", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.0016", "scoring_system": "epss", "scoring_elements": "0.36899", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.0016", "scoring_system": "epss", "scoring_elements": "0.36885", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-39335" }, { "reference_url": "https://github.com/matrix-org/synapse", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2023-65.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2023-65.yaml" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T2MBNMZAFY4RCZL2VGBGAPKGB4JUPZVS", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T2MBNMZAFY4RCZL2VGBGAPKGB4JUPZVS" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39335", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39335" }, { "reference_url": "https://github.com/matrix-org/synapse/issues/13288", "reference_id": "13288", "reference_type": "", "scores": [ { "value": "5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T19:45:19Z/" } ], "url": "https://github.com/matrix-org/synapse/issues/13288" }, { "reference_url": "https://github.com/matrix-org/synapse/pull/13823", "reference_id": "13823", "reference_type": "", "scores": [ { "value": "5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T19:45:19Z/" } ], "url": "https://github.com/matrix-org/synapse/pull/13823" }, { "reference_url": "https://github.com/advisories/GHSA-45cj-f97f-ggwv", "reference_id": "GHSA-45cj-f97f-ggwv", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-45cj-f97f-ggwv" }, { "reference_url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-45cj-f97f-ggwv", "reference_id": "GHSA-45cj-f97f-ggwv", "reference_type": "", "scores": [ { "value": "5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T19:45:19Z/" } ], "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-45cj-f97f-ggwv" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T2MBNMZAFY4RCZL2VGBGAPKGB4JUPZVS/", "reference_id": "T2MBNMZAFY4RCZL2VGBGAPKGB4JUPZVS", "reference_type": "", "scores": [ { "value": "5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T19:45:19Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T2MBNMZAFY4RCZL2VGBGAPKGB4JUPZVS/" }, { "reference_url": "https://usn.ubuntu.com/7444-1/", "reference_id": "USN-7444-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7444-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/76168?format=api", "purl": "pkg:pypi/matrix-synapse@1.69.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1xwm-33sy-3qfv" }, { "vulnerability": "VCID-2ctw-4fy5-4ufd" }, { "vulnerability": "VCID-3ngy-dt6j-tuef" }, { "vulnerability": "VCID-5h97-3s9w-c3ab" }, { "vulnerability": "VCID-7v7h-zrjj-pkh3" }, { "vulnerability": "VCID-8n5g-1zby-77gj" }, { "vulnerability": "VCID-bkk8-srvr-pqfj" }, { "vulnerability": "VCID-c1vt-9j6a-b7cr" }, { "vulnerability": "VCID-hqwh-2un3-bqd8" }, { "vulnerability": "VCID-husr-u735-97hh" }, { "vulnerability": "VCID-n8mv-4upg-hfa3" }, { "vulnerability": "VCID-p9ck-pwqp-qyc7" }, { "vulnerability": "VCID-rcdd-qkxt-nuez" }, { "vulnerability": "VCID-s1jf-x5ug-jqcq" }, { "vulnerability": "VCID-y6j7-eetd-pkfh" }, { "vulnerability": "VCID-yync-gs3f-nyax" }, { "vulnerability": "VCID-z6uu-5bdh-pud4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.69.0" } ], "aliases": [ "CVE-2022-39335", "GHSA-45cj-f97f-ggwv", "PYSEC-2023-65" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9uhc-e3bj-nqg7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/218107?format=api", "vulnerability_id": "VCID-ahwq-36cc-pqhn", "summary": "Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.25.0, a malicious homeserver could redirect requests to their .well-known file to a large file. This can lead to a denial of service attack where homeservers will consume significantly more resources when requesting the .well-known file of a malicious homeserver. This affects any server which accepts federation requests from untrusted servers. Issue is resolved in version 1.25.0. As a workaround the `federation_domain_whitelist` setting can be used to restrict the homeservers communicated with over federation.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21274", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00446", "scoring_system": "epss", "scoring_elements": "0.63897", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00446", "scoring_system": "epss", "scoring_elements": "0.63999", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00446", "scoring_system": "epss", "scoring_elements": "0.64013", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00446", "scoring_system": "epss", "scoring_elements": "0.64011", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21274" }, { "reference_url": "https://github.com/matrix-org/synapse", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse" }, { "reference_url": "https://github.com/matrix-org/synapse/commit/ff5c4da1289cb5e097902b3e55b771be342c29d6", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/commit/ff5c4da1289cb5e097902b3e55b771be342c29d6" }, { "reference_url": "https://github.com/matrix-org/synapse/pull/8950", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/pull/8950" }, { "reference_url": "https://github.com/matrix-org/synapse/releases/tag/v1.25.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/releases/tag/v1.25.0" }, { "reference_url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-2hwx-mjrm-v3g8", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-2hwx-mjrm-v3g8" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-132.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-132.yaml" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21274", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21274" }, { "reference_url": "https://github.com/advisories/GHSA-2hwx-mjrm-v3g8", "reference_id": "GHSA-2hwx-mjrm-v3g8", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2hwx-mjrm-v3g8" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/62732?format=api", "purl": "pkg:pypi/matrix-synapse@1.25.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1xwm-33sy-3qfv" }, { "vulnerability": "VCID-27ht-47d2-77f6" }, { "vulnerability": "VCID-2ctw-4fy5-4ufd" }, { "vulnerability": "VCID-3ngy-dt6j-tuef" }, { "vulnerability": "VCID-4kph-6snj-huhk" }, { "vulnerability": "VCID-5h97-3s9w-c3ab" }, { "vulnerability": "VCID-7v7h-zrjj-pkh3" }, { "vulnerability": "VCID-86br-xun2-gudx" }, { "vulnerability": "VCID-8974-zsm2-ybbv" }, { "vulnerability": "VCID-8n5g-1zby-77gj" }, { "vulnerability": "VCID-9uhc-e3bj-nqg7" }, { "vulnerability": "VCID-b2u5-56b4-63ae" }, { "vulnerability": "VCID-bkk8-srvr-pqfj" }, { "vulnerability": "VCID-c1vt-9j6a-b7cr" }, { "vulnerability": "VCID-cjar-y1hc-4ybu" }, { "vulnerability": "VCID-dux1-nmrm-xqa1" }, { "vulnerability": "VCID-g8ff-1859-ekhm" }, { "vulnerability": "VCID-hqwh-2un3-bqd8" }, { "vulnerability": "VCID-j879-8928-yyh8" }, { "vulnerability": "VCID-n8mv-4upg-hfa3" }, { "vulnerability": "VCID-p9ck-pwqp-qyc7" }, { "vulnerability": "VCID-rcdd-qkxt-nuez" }, { "vulnerability": "VCID-s1jf-x5ug-jqcq" }, { "vulnerability": "VCID-sz98-t7z9-bqea" }, { "vulnerability": "VCID-v2m6-n5w2-wfc5" }, { "vulnerability": "VCID-vns7-ssd1-8bhe" }, { "vulnerability": "VCID-y6j7-eetd-pkfh" }, { "vulnerability": "VCID-yu4n-aq57-67g5" }, { "vulnerability": "VCID-yync-gs3f-nyax" }, { "vulnerability": "VCID-z6uu-5bdh-pud4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.25.0" } ], "aliases": [ "CVE-2021-21274", "GHSA-2hwx-mjrm-v3g8", "PYSEC-2021-132" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ahwq-36cc-pqhn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/197549?format=api", "vulnerability_id": "VCID-b2u5-56b4-63ae", "summary": "directory traversal", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-41281", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00545", "scoring_system": "epss", "scoring_elements": "0.68334", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00545", "scoring_system": "epss", "scoring_elements": "0.68239", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00545", "scoring_system": "epss", "scoring_elements": "0.6834", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00545", "scoring_system": "epss", "scoring_elements": "0.68327", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-41281" }, { "reference_url": "https://github.com/matrix-org/synapse", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse" }, { "reference_url": "https://github.com/matrix-org/synapse/commit/91f2bd090", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/commit/91f2bd090" }, { "reference_url": "https://github.com/matrix-org/synapse/releases/tag/v1.47.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/releases/tag/v1.47.1" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-436.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-436.yaml" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EU7QRE55U4IUEDLKT5IYPWL3UXMELFAS", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EU7QRE55U4IUEDLKT5IYPWL3UXMELFAS" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N3WY56LCEZ4ZECLWV5KMAXF2PSMUB4F2", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N3WY56LCEZ4ZECLWV5KMAXF2PSMUB4F2" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1000451", "reference_id": "1000451", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1000451" }, { "reference_url": "https://security.archlinux.org/AVG-2581", "reference_id": "AVG-2581", "reference_type": "", "scores": [ { "value": "Medium", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2581" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41281", "reference_id": "CVE-2021-41281", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41281" }, { "reference_url": "https://github.com/advisories/GHSA-3hfw-x7gx-437c", "reference_id": "GHSA-3hfw-x7gx-437c", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3hfw-x7gx-437c" }, { "reference_url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-3hfw-x7gx-437c", "reference_id": "GHSA-3hfw-x7gx-437c", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-3hfw-x7gx-437c" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/18103?format=api", "purl": "pkg:pypi/matrix-synapse@1.47.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1xwm-33sy-3qfv" }, { "vulnerability": "VCID-27ht-47d2-77f6" }, { "vulnerability": "VCID-2ctw-4fy5-4ufd" }, { "vulnerability": "VCID-3ngy-dt6j-tuef" }, { "vulnerability": "VCID-5h97-3s9w-c3ab" }, { "vulnerability": "VCID-7v7h-zrjj-pkh3" }, { "vulnerability": "VCID-8n5g-1zby-77gj" }, { "vulnerability": "VCID-9uhc-e3bj-nqg7" }, { "vulnerability": "VCID-bkk8-srvr-pqfj" }, { "vulnerability": "VCID-c1vt-9j6a-b7cr" }, { "vulnerability": "VCID-g8ff-1859-ekhm" }, { "vulnerability": "VCID-hqwh-2un3-bqd8" }, { "vulnerability": "VCID-n8mv-4upg-hfa3" }, { "vulnerability": "VCID-p9ck-pwqp-qyc7" }, { "vulnerability": "VCID-rcdd-qkxt-nuez" }, { "vulnerability": "VCID-s1jf-x5ug-jqcq" }, { "vulnerability": "VCID-sz98-t7z9-bqea" }, { "vulnerability": "VCID-y6j7-eetd-pkfh" }, { "vulnerability": "VCID-yync-gs3f-nyax" }, { "vulnerability": "VCID-z6uu-5bdh-pud4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.47.1" } ], "aliases": [ "CVE-2021-41281", "GHSA-3hfw-x7gx-437c", "PYSEC-2021-436" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-b2u5-56b4-63ae" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/143650?format=api", "vulnerability_id": "VCID-bkk8-srvr-pqfj", "summary": "Synapse is a Matrix protocol homeserver written in Python with the Twisted framework. In affected versions it may be possible for a deactivated user to login when using uncommon configurations. This only applies if any of the following are true: 1. JSON Web Tokens are enabled for login via the `jwt_config.enabled` configuration setting. 2. The local password database is enabled via the `password_config.enabled` and `password_config.localdb_enabled` configuration settings *and* a user's password is updated via an admin API after a user is deactivated. Note that the local password database is enabled by default, but it is uncommon to set a user's password after they've been deactivated. Installations that are configured to only allow login via Single Sign-On (SSO) via CAS, SAML or OpenID Connect (OIDC); or via an external password provider (e.g. LDAP) are not affected. If not using JSON Web Tokens, ensure that deactivated users do not have a password set. This issue has been addressed in version 1.85.0. Users are advised to upgrade.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-32682", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00956", "scoring_system": "epss", "scoring_elements": "0.76937", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00956", "scoring_system": "epss", "scoring_elements": "0.76866", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00956", "scoring_system": "epss", "scoring_elements": "0.76945", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00956", "scoring_system": "epss", "scoring_elements": "0.76951", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-32682" }, { "reference_url": "https://github.com/matrix-org/synapse", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse" }, { "reference_url": "https://github.com/matrix-org/synapse/issues/12274", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/issues/12274" }, { "reference_url": "https://github.com/matrix-org/synapse/releases/tag/v1.85.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/releases/tag/v1.85.0" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2023-84.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2023-84.yaml" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6DH5A5YEB5LRIPP32OUW25FCGZFCZU2", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6DH5A5YEB5LRIPP32OUW25FCGZFCZU2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32682", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32682" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037207", "reference_id": "1037207", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037207" }, { "reference_url": "https://github.com/matrix-org/synapse/pull/15624", "reference_id": "15624", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-07T16:28:39Z/" } ], "url": "https://github.com/matrix-org/synapse/pull/15624" }, { "reference_url": "https://github.com/matrix-org/synapse/pull/15634", "reference_id": "15634", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-07T16:28:39Z/" } ], "url": "https://github.com/matrix-org/synapse/pull/15634" }, { "reference_url": "https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#password_config", "reference_id": "config_documentation.html#password_config", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-07T16:28:39Z/" } ], "url": "https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#password_config" }, { "reference_url": "https://github.com/advisories/GHSA-26c5-ppr8-f33p", "reference_id": "GHSA-26c5-ppr8-f33p", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-26c5-ppr8-f33p" }, { "reference_url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-26c5-ppr8-f33p", "reference_id": "GHSA-26c5-ppr8-f33p", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-07T16:28:39Z/" } ], "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-26c5-ppr8-f33p" }, { "reference_url": "https://matrix-org.github.io/synapse/latest/jwt.html", "reference_id": "jwt.html", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-07T16:28:39Z/" } ], "url": "https://matrix-org.github.io/synapse/latest/jwt.html" }, { "reference_url": "https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html#create-or-modify-account", "reference_id": "user_admin_api.html#create-or-modify-account", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-07T16:28:39Z/" } ], "url": "https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html#create-or-modify-account" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6DH5A5YEB5LRIPP32OUW25FCGZFCZU2/", "reference_id": "X6DH5A5YEB5LRIPP32OUW25FCGZFCZU2", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-07T16:28:39Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6DH5A5YEB5LRIPP32OUW25FCGZFCZU2/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/76283?format=api", "purl": "pkg:pypi/matrix-synapse@1.85.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1xwm-33sy-3qfv" }, { "vulnerability": "VCID-2ctw-4fy5-4ufd" }, { "vulnerability": "VCID-3ngy-dt6j-tuef" }, { "vulnerability": "VCID-5h97-3s9w-c3ab" }, { "vulnerability": "VCID-7v7h-zrjj-pkh3" }, { "vulnerability": "VCID-c1vt-9j6a-b7cr" }, { "vulnerability": "VCID-hqwh-2un3-bqd8" }, { "vulnerability": "VCID-husr-u735-97hh" }, { "vulnerability": "VCID-n8mv-4upg-hfa3" }, { "vulnerability": "VCID-rcdd-qkxt-nuez" }, { "vulnerability": "VCID-s1jf-x5ug-jqcq" }, { "vulnerability": "VCID-y6j7-eetd-pkfh" }, { "vulnerability": "VCID-yync-gs3f-nyax" }, { "vulnerability": "VCID-z6uu-5bdh-pud4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.85.0" } ], "aliases": [ "CVE-2023-32682", "GHSA-26c5-ppr8-f33p", "PYSEC-2023-84" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-bkk8-srvr-pqfj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/45378?format=api", "vulnerability_id": "VCID-c1vt-9j6a-b7cr", "summary": "Synapse is an open-source Matrix homeserver. Synapse before version 1.106 allows, by design, unauthenticated remote participants to trigger a download and caching of remote media from a remote homeserver to the local media repository. Such content then also becomes available for download from the local homeserver in an unauthenticated way. The implication is that unauthenticated remote adversaries can use this functionality to plant problematic content into the media repository. Synapse 1.106 introduces a partial mitigation in the form of new endpoints which require authentication for media downloads. The unauthenticated endpoints will be frozen in a future release, closing the attack vector.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-37303", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00342", "scoring_system": "epss", "scoring_elements": "0.57331", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00342", "scoring_system": "epss", "scoring_elements": "0.57346", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00342", "scoring_system": "epss", "scoring_elements": "0.57338", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00342", "scoring_system": "epss", "scoring_elements": "0.57213", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-37303" }, { "reference_url": "https://github.com/element-hq/synapse", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/element-hq/synapse" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2024-287.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2024-287.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37303", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37303" }, { "reference_url": "https://github.com/matrix-org/matrix-spec-proposals/pull/3916", "reference_id": "3916", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-12-03T18:49:29Z/" } ], "url": "https://github.com/matrix-org/matrix-spec-proposals/pull/3916" }, { "reference_url": "https://github.com/advisories/GHSA-gjgr-7834-rhxr", "reference_id": "GHSA-gjgr-7834-rhxr", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gjgr-7834-rhxr" }, { "reference_url": "https://github.com/element-hq/synapse/security/advisories/GHSA-gjgr-7834-rhxr", "reference_id": "GHSA-gjgr-7834-rhxr", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-12-03T18:49:29Z/" } ], "url": "https://github.com/element-hq/synapse/security/advisories/GHSA-gjgr-7834-rhxr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/86739?format=api", "purl": "pkg:pypi/matrix-synapse@1.106.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1xwm-33sy-3qfv" }, { "vulnerability": "VCID-3ngy-dt6j-tuef" }, { "vulnerability": "VCID-hqwh-2un3-bqd8" }, { "vulnerability": "VCID-n8mv-4upg-hfa3" }, { "vulnerability": "VCID-rcdd-qkxt-nuez" }, { "vulnerability": "VCID-s1jf-x5ug-jqcq" }, { "vulnerability": "VCID-y6j7-eetd-pkfh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.106.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/372289?format=api", "purl": "pkg:pypi/matrix-synapse@1.106", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.106" } ], "aliases": [ "CVE-2024-37303", "GHSA-gjgr-7834-rhxr", "PYSEC-2024-287" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-c1vt-9j6a-b7cr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/197315?format=api", "vulnerability_id": "VCID-cdnv-apfv-nuf8", "summary": "denial of service", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-26890", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00572", "scoring_system": "epss", "scoring_elements": "0.69262", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00572", "scoring_system": "epss", "scoring_elements": "0.69163", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00572", "scoring_system": "epss", "scoring_elements": "0.69256", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00572", "scoring_system": "epss", "scoring_elements": "0.69268", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-26890" }, { "reference_url": "https://github.com/matrix-org/synapse", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse" }, { "reference_url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-4mp3-385r-v63f", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-4mp3-385r-v63f" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2020-237.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2020-237.yaml" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G7YXMMYQP46PYL664JQUXCA3LPBJU7DQ", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G7YXMMYQP46PYL664JQUXCA3LPBJU7DQ" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G7YXMMYQP46PYL664JQUXCA3LPBJU7DQ/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G7YXMMYQP46PYL664JQUXCA3LPBJU7DQ/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U34DPP4ZLOEDUY2ZCWOHQPU5GA5LYNUQ", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U34DPP4ZLOEDUY2ZCWOHQPU5GA5LYNUQ" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U34DPP4ZLOEDUY2ZCWOHQPU5GA5LYNUQ/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U34DPP4ZLOEDUY2ZCWOHQPU5GA5LYNUQ/" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26890", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26890" }, { "reference_url": "https://pypi.org/project/matrix-synapse", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://pypi.org/project/matrix-synapse" }, { "reference_url": "https://security.archlinux.org/ASA-202011-23", "reference_id": "ASA-202011-23", "reference_type": "", "scores": [], "url": "https://security.archlinux.org/ASA-202011-23" }, { "reference_url": "https://security.archlinux.org/AVG-1296", "reference_id": "AVG-1296", "reference_type": "", "scores": [ { "value": "High", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-1296" }, { "reference_url": "https://github.com/advisories/GHSA-4mp3-385r-v63f", "reference_id": "GHSA-4mp3-385r-v63f", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4mp3-385r-v63f" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/61114?format=api", "purl": "pkg:pypi/matrix-synapse@1.20.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1xwm-33sy-3qfv" }, { "vulnerability": "VCID-27ht-47d2-77f6" }, { "vulnerability": "VCID-2ctw-4fy5-4ufd" }, { "vulnerability": "VCID-2du1-3n24-rbgx" }, { "vulnerability": "VCID-3ngy-dt6j-tuef" }, { "vulnerability": "VCID-4kph-6snj-huhk" }, { "vulnerability": "VCID-5h97-3s9w-c3ab" }, { "vulnerability": "VCID-6a8s-n8vb-hker" }, { "vulnerability": "VCID-7v7h-zrjj-pkh3" }, { "vulnerability": "VCID-86br-xun2-gudx" }, { "vulnerability": "VCID-8974-zsm2-ybbv" }, { "vulnerability": "VCID-8n5g-1zby-77gj" }, { "vulnerability": "VCID-9uhc-e3bj-nqg7" }, { "vulnerability": "VCID-ahwq-36cc-pqhn" }, { "vulnerability": "VCID-b2u5-56b4-63ae" }, { "vulnerability": "VCID-bkk8-srvr-pqfj" }, { "vulnerability": "VCID-c1vt-9j6a-b7cr" }, { "vulnerability": "VCID-cjar-y1hc-4ybu" }, { "vulnerability": "VCID-dux1-nmrm-xqa1" }, { "vulnerability": "VCID-g8ff-1859-ekhm" }, { "vulnerability": "VCID-hqwh-2un3-bqd8" }, { "vulnerability": "VCID-j879-8928-yyh8" }, { "vulnerability": "VCID-n8mv-4upg-hfa3" }, { "vulnerability": "VCID-p9ck-pwqp-qyc7" }, { "vulnerability": "VCID-rcdd-qkxt-nuez" }, { "vulnerability": "VCID-s1jf-x5ug-jqcq" }, { "vulnerability": "VCID-sz98-t7z9-bqea" }, { "vulnerability": "VCID-v2m6-n5w2-wfc5" }, { "vulnerability": "VCID-vns7-ssd1-8bhe" }, { "vulnerability": "VCID-y6j7-eetd-pkfh" }, { "vulnerability": "VCID-ygy4-xzjr-2fdc" }, { "vulnerability": "VCID-yu4n-aq57-67g5" }, { "vulnerability": "VCID-yync-gs3f-nyax" }, { "vulnerability": "VCID-z6uu-5bdh-pud4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.20.0" } ], "aliases": [ "CVE-2020-26890", "GHSA-4mp3-385r-v63f", "PYSEC-2020-237" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cdnv-apfv-nuf8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/218125?format=api", "vulnerability_id": "VCID-cjar-y1hc-4ybu", "summary": "Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 requests to user provided domains were not restricted to external IP addresses when transitional IPv6 addresses were used. Outbound requests to federation, identity servers, when calculating the key validity for third-party invite events, sending push notifications, and generating URL previews are affected. This could cause Synapse to make requests to internal infrastructure on dual-stack networks. See referenced GitHub security advisory for details and workarounds.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21392", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.002", "scoring_system": "epss", "scoring_elements": "0.42051", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.002", "scoring_system": "epss", "scoring_elements": "0.42215", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.002", "scoring_system": "epss", "scoring_elements": "0.42237", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.002", "scoring_system": "epss", "scoring_elements": "0.42228", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21392" }, { "reference_url": "https://github.com/matrix-org/synapse", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse" }, { "reference_url": "https://github.com/matrix-org/synapse/commit/4ca054a4eaa714d0befb4fc30b19a1131e52c9cc", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/commit/4ca054a4eaa714d0befb4fc30b19a1131e52c9cc" }, { "reference_url": "https://github.com/matrix-org/synapse/pull/9240", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/pull/9240" }, { "reference_url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-5wrh-4jwv-5w78", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-5wrh-4jwv-5w78" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-25.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-25.yaml" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21392", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21392" }, { "reference_url": "https://pypi.org/project/matrix-synapse", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://pypi.org/project/matrix-synapse" }, { "reference_url": "https://pypi.org/project/matrix-synapse/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://pypi.org/project/matrix-synapse/" }, { "reference_url": "https://github.com/advisories/GHSA-5wrh-4jwv-5w78", "reference_id": "GHSA-5wrh-4jwv-5w78", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5wrh-4jwv-5w78" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/64059?format=api", "purl": "pkg:pypi/matrix-synapse@1.28.0rc1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1xwm-33sy-3qfv" }, { "vulnerability": "VCID-27ht-47d2-77f6" }, { "vulnerability": "VCID-2ctw-4fy5-4ufd" }, { "vulnerability": "VCID-3ngy-dt6j-tuef" }, { "vulnerability": "VCID-4kph-6snj-huhk" }, { "vulnerability": "VCID-5h97-3s9w-c3ab" }, { "vulnerability": "VCID-7v7h-zrjj-pkh3" }, { "vulnerability": "VCID-86br-xun2-gudx" }, { "vulnerability": "VCID-8974-zsm2-ybbv" }, { "vulnerability": "VCID-8n5g-1zby-77gj" }, { "vulnerability": "VCID-9uhc-e3bj-nqg7" }, { "vulnerability": "VCID-b2u5-56b4-63ae" }, { "vulnerability": "VCID-bkk8-srvr-pqfj" }, { "vulnerability": "VCID-c1vt-9j6a-b7cr" }, { "vulnerability": "VCID-cjar-y1hc-4ybu" }, { "vulnerability": "VCID-dux1-nmrm-xqa1" }, { "vulnerability": "VCID-g8ff-1859-ekhm" }, { "vulnerability": "VCID-hqwh-2un3-bqd8" }, { "vulnerability": "VCID-j879-8928-yyh8" }, { "vulnerability": "VCID-n8mv-4upg-hfa3" }, { "vulnerability": "VCID-p9ck-pwqp-qyc7" }, { "vulnerability": "VCID-rcdd-qkxt-nuez" }, { "vulnerability": "VCID-s1jf-x5ug-jqcq" }, { "vulnerability": "VCID-sz98-t7z9-bqea" }, { "vulnerability": "VCID-vns7-ssd1-8bhe" }, { "vulnerability": "VCID-y6j7-eetd-pkfh" }, { "vulnerability": "VCID-yync-gs3f-nyax" }, { "vulnerability": "VCID-z6uu-5bdh-pud4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.28.0rc1" }, { "url": "http://public2.vulnerablecode.io/api/packages/64060?format=api", "purl": "pkg:pypi/matrix-synapse@1.28.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1xwm-33sy-3qfv" }, { "vulnerability": "VCID-27ht-47d2-77f6" }, { "vulnerability": "VCID-2ctw-4fy5-4ufd" }, { "vulnerability": "VCID-3ngy-dt6j-tuef" }, { "vulnerability": "VCID-5h97-3s9w-c3ab" }, { "vulnerability": "VCID-7v7h-zrjj-pkh3" }, { "vulnerability": "VCID-86br-xun2-gudx" }, { "vulnerability": "VCID-8974-zsm2-ybbv" }, { "vulnerability": "VCID-8n5g-1zby-77gj" }, { "vulnerability": "VCID-9uhc-e3bj-nqg7" }, { "vulnerability": "VCID-b2u5-56b4-63ae" }, { "vulnerability": "VCID-bkk8-srvr-pqfj" }, { "vulnerability": "VCID-c1vt-9j6a-b7cr" }, { "vulnerability": "VCID-dux1-nmrm-xqa1" }, { "vulnerability": "VCID-g8ff-1859-ekhm" }, { "vulnerability": "VCID-hqwh-2un3-bqd8" }, { "vulnerability": "VCID-n8mv-4upg-hfa3" }, { "vulnerability": "VCID-p9ck-pwqp-qyc7" }, { "vulnerability": "VCID-rcdd-qkxt-nuez" }, { "vulnerability": "VCID-s1jf-x5ug-jqcq" }, { "vulnerability": "VCID-sz98-t7z9-bqea" }, { "vulnerability": "VCID-vns7-ssd1-8bhe" }, { "vulnerability": "VCID-y6j7-eetd-pkfh" }, { "vulnerability": "VCID-yync-gs3f-nyax" }, { "vulnerability": "VCID-z6uu-5bdh-pud4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.28.0" } ], "aliases": [ "CVE-2021-21392", "GHSA-5wrh-4jwv-5w78", "PYSEC-2021-25" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cjar-y1hc-4ybu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/197596?format=api", "vulnerability_id": "VCID-dux1-nmrm-xqa1", "summary": "information disclosure", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39164", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00271", "scoring_system": "epss", "scoring_elements": "0.50998", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00271", "scoring_system": "epss", "scoring_elements": "0.50863", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00271", "scoring_system": "epss", "scoring_elements": "0.50996", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00271", "scoring_system": "epss", "scoring_elements": "0.51011", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39164" }, { "reference_url": "https://github.com/matrix-org/synapse", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse" }, { "reference_url": "https://github.com/matrix-org/synapse/commit/cb35df940a", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/commit/cb35df940a" }, { "reference_url": "https://github.com/matrix-org/synapse/releases/tag/v1.41.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/releases/tag/v1.41.1" }, { "reference_url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-3x4c-pq33-4w3q", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-3x4c-pq33-4w3q" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-425.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-425.yaml" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2VHDEPCZ22GJFMZCWA2XZAGPOEV72POF", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2VHDEPCZ22GJFMZCWA2XZAGPOEV72POF" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2VHDEPCZ22GJFMZCWA2XZAGPOEV72POF/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2VHDEPCZ22GJFMZCWA2XZAGPOEV72POF/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PXT7ID7DNBRN2TVTETU3SYQHJKEG6PXN", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PXT7ID7DNBRN2TVTETU3SYQHJKEG6PXN" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PXT7ID7DNBRN2TVTETU3SYQHJKEG6PXN/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PXT7ID7DNBRN2TVTETU3SYQHJKEG6PXN/" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39164", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39164" }, { "reference_url": "https://security.archlinux.org/AVG-2334", "reference_id": "AVG-2334", "reference_type": "", "scores": [ { "value": "Medium", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2334" }, { "reference_url": "https://github.com/advisories/GHSA-3x4c-pq33-4w3q", "reference_id": "GHSA-3x4c-pq33-4w3q", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3x4c-pq33-4w3q" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/66121?format=api", "purl": "pkg:pypi/matrix-synapse@1.41.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1xwm-33sy-3qfv" }, { "vulnerability": "VCID-27ht-47d2-77f6" }, { "vulnerability": "VCID-2ctw-4fy5-4ufd" }, { "vulnerability": "VCID-3ngy-dt6j-tuef" }, { "vulnerability": "VCID-5h97-3s9w-c3ab" }, { "vulnerability": "VCID-7v7h-zrjj-pkh3" }, { "vulnerability": "VCID-8n5g-1zby-77gj" }, { "vulnerability": "VCID-9uhc-e3bj-nqg7" }, { "vulnerability": "VCID-b2u5-56b4-63ae" }, { "vulnerability": "VCID-bkk8-srvr-pqfj" }, { "vulnerability": "VCID-c1vt-9j6a-b7cr" }, { "vulnerability": "VCID-g8ff-1859-ekhm" }, { "vulnerability": "VCID-hqwh-2un3-bqd8" }, { "vulnerability": "VCID-n8mv-4upg-hfa3" }, { "vulnerability": "VCID-p9ck-pwqp-qyc7" }, { "vulnerability": "VCID-rcdd-qkxt-nuez" }, { "vulnerability": "VCID-s1jf-x5ug-jqcq" }, { "vulnerability": "VCID-sz98-t7z9-bqea" }, { "vulnerability": "VCID-y6j7-eetd-pkfh" }, { "vulnerability": "VCID-yync-gs3f-nyax" }, { "vulnerability": "VCID-z6uu-5bdh-pud4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.41.1" } ], "aliases": [ "CVE-2021-39164", "GHSA-3x4c-pq33-4w3q", "PYSEC-2021-425" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dux1-nmrm-xqa1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/167405?format=api", "vulnerability_id": "VCID-g8ff-1859-ekhm", "summary": "Synapse is an open source home server implementation for the Matrix chat network. In versions prior to 1.61.1 URL previews of some web pages can exhaust the available stack space for the Synapse process due to unbounded recursion. This is sometimes recoverable and leads to an error for the request causing the problem, but in other cases the Synapse process may crash altogether. It is possible to exploit this maliciously, either by malicious users on the homeserver, or by remote users sending URLs that a local user's client may automatically request a URL preview for. Remote users are not able to exploit this directly, because the URL preview endpoint is authenticated. Deployments with `url_preview_enabled: false` set in configuration are not affected. Deployments with `url_preview_enabled: true` set in configuration **are** affected. Deployments with no configuration value set for `url_preview_enabled` are not affected, because the default is `false`. Administrators of homeservers with URL previews enabled are advised to upgrade to v1.61.1 or higher. Users unable to upgrade should set `url_preview_enabled` to false.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-31052", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00376", "scoring_system": "epss", "scoring_elements": "0.5972", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00376", "scoring_system": "epss", "scoring_elements": "0.5971", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00376", "scoring_system": "epss", "scoring_elements": "0.596", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00376", "scoring_system": "epss", "scoring_elements": "0.59708", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-31052" }, { "reference_url": "https://github.com/matrix-org/synapse", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2022-224.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2022-224.yaml" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7EARKKJZ2W7WUITFDT4EG4NVATFYJQHF", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7EARKKJZ2W7WUITFDT4EG4NVATFYJQHF" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7EARKKJZ2W7WUITFDT4EG4NVATFYJQHF/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7EARKKJZ2W7WUITFDT4EG4NVATFYJQHF/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGSDQ4YAITCUACAB7SXQZDJIU3IQ4CJD", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGSDQ4YAITCUACAB7SXQZDJIU3IQ4CJD" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGSDQ4YAITCUACAB7SXQZDJIU3IQ4CJD/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGSDQ4YAITCUACAB7SXQZDJIU3IQ4CJD/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7EARKKJZ2W7WUITFDT4EG4NVATFYJQHF/", "reference_id": "7EARKKJZ2W7WUITFDT4EG4NVATFYJQHF", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:04:10Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7EARKKJZ2W7WUITFDT4EG4NVATFYJQHF/" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31052", "reference_id": "CVE-2022-31052", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31052" }, { "reference_url": "https://github.com/matrix-org/synapse/commit/fa1308061802ac7b7d20e954ba7372c5ac292333", "reference_id": "fa1308061802ac7b7d20e954ba7372c5ac292333", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:04:10Z/" } ], "url": "https://github.com/matrix-org/synapse/commit/fa1308061802ac7b7d20e954ba7372c5ac292333" }, { "reference_url": "https://spec.matrix.org/v1.2/client-server-api/#get_matrixmediav3preview_url", "reference_id": "#get_matrixmediav3preview_url", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:04:10Z/" } ], "url": "https://spec.matrix.org/v1.2/client-server-api/#get_matrixmediav3preview_url" }, { "reference_url": "https://github.com/advisories/GHSA-22p3-qrh9-cx32", "reference_id": "GHSA-22p3-qrh9-cx32", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-22p3-qrh9-cx32" }, { "reference_url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-22p3-qrh9-cx32", "reference_id": "GHSA-22p3-qrh9-cx32", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:04:10Z/" } ], "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-22p3-qrh9-cx32" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGSDQ4YAITCUACAB7SXQZDJIU3IQ4CJD/", "reference_id": "QGSDQ4YAITCUACAB7SXQZDJIU3IQ4CJD", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:04:10Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGSDQ4YAITCUACAB7SXQZDJIU3IQ4CJD/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/25098?format=api", "purl": "pkg:pypi/matrix-synapse@1.61.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1xwm-33sy-3qfv" }, { "vulnerability": "VCID-27ht-47d2-77f6" }, { "vulnerability": "VCID-2ctw-4fy5-4ufd" }, { "vulnerability": "VCID-3ngy-dt6j-tuef" }, { "vulnerability": "VCID-5h97-3s9w-c3ab" }, { "vulnerability": "VCID-7v7h-zrjj-pkh3" }, { "vulnerability": "VCID-8n5g-1zby-77gj" }, { "vulnerability": "VCID-9uhc-e3bj-nqg7" }, { "vulnerability": "VCID-bkk8-srvr-pqfj" }, { "vulnerability": "VCID-c1vt-9j6a-b7cr" }, { "vulnerability": "VCID-hqwh-2un3-bqd8" }, { "vulnerability": "VCID-n8mv-4upg-hfa3" }, { "vulnerability": "VCID-p9ck-pwqp-qyc7" }, { "vulnerability": "VCID-rcdd-qkxt-nuez" }, { "vulnerability": "VCID-s1jf-x5ug-jqcq" }, { "vulnerability": "VCID-y6j7-eetd-pkfh" }, { "vulnerability": "VCID-yync-gs3f-nyax" }, { "vulnerability": "VCID-z6uu-5bdh-pud4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.61.1" } ], "aliases": [ "CVE-2022-31052", "GHSA-22p3-qrh9-cx32", "PYSEC-2022-224" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-g8ff-1859-ekhm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/210625?format=api", "vulnerability_id": "VCID-hjuv-5rpx-hfe3", "summary": "Improper Verification of Cryptographic Signature in matrix-synapse", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2019-18835", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00191", "scoring_system": "epss", "scoring_elements": "0.41074", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00191", "scoring_system": "epss", "scoring_elements": "0.40908", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00191", "scoring_system": "epss", "scoring_elements": "0.41084", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00191", "scoring_system": "epss", "scoring_elements": "0.41095", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-18835" }, { "reference_url": "https://github.com/matrix-org/synapse", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L" }, { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse" }, { "reference_url": "https://github.com/matrix-org/synapse/commit/172f264ed38e8bef857552f93114b4ee113a880b", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L" }, { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/commit/172f264ed38e8bef857552f93114b4ee113a880b" }, { "reference_url": "https://github.com/matrix-org/synapse/pull/6262", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L" }, { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/pull/6262" }, { "reference_url": "https://github.com/matrix-org/synapse/releases/tag/v1.5.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L" }, { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/releases/tag/v1.5.0" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2019-186.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L" }, { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2019-186.yaml" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944355", "reference_id": "944355", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944355" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2019-18835", "reference_id": "CVE-2019-18835", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L" }, { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-18835" }, { "reference_url": "https://github.com/advisories/GHSA-cppw-2mf8-qpm5", "reference_id": "GHSA-cppw-2mf8-qpm5", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-cppw-2mf8-qpm5" }, { "reference_url": "https://usn.ubuntu.com/6076-1/", "reference_id": "USN-6076-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/6076-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/23884?format=api", "purl": "pkg:pypi/matrix-synapse@1.5.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1xwm-33sy-3qfv" }, { "vulnerability": "VCID-27ht-47d2-77f6" }, { "vulnerability": "VCID-2ctw-4fy5-4ufd" }, { "vulnerability": "VCID-2du1-3n24-rbgx" }, { "vulnerability": "VCID-3ngy-dt6j-tuef" }, { "vulnerability": "VCID-4kph-6snj-huhk" }, { "vulnerability": "VCID-5h97-3s9w-c3ab" }, { "vulnerability": "VCID-6a8s-n8vb-hker" }, { "vulnerability": "VCID-7v7h-zrjj-pkh3" }, { "vulnerability": "VCID-86br-xun2-gudx" }, { "vulnerability": "VCID-8974-zsm2-ybbv" }, { "vulnerability": "VCID-8n5g-1zby-77gj" }, { "vulnerability": "VCID-9uhc-e3bj-nqg7" }, { "vulnerability": "VCID-ahwq-36cc-pqhn" }, { "vulnerability": "VCID-b2u5-56b4-63ae" }, { "vulnerability": "VCID-bkk8-srvr-pqfj" }, { "vulnerability": "VCID-c1vt-9j6a-b7cr" }, { "vulnerability": "VCID-cdnv-apfv-nuf8" }, { "vulnerability": "VCID-cjar-y1hc-4ybu" }, { "vulnerability": "VCID-dux1-nmrm-xqa1" }, { "vulnerability": "VCID-g8ff-1859-ekhm" }, { "vulnerability": "VCID-hqwh-2un3-bqd8" }, { "vulnerability": "VCID-j879-8928-yyh8" }, { "vulnerability": "VCID-n8mv-4upg-hfa3" }, { "vulnerability": "VCID-p9ck-pwqp-qyc7" }, { "vulnerability": "VCID-rcdd-qkxt-nuez" }, { "vulnerability": "VCID-s1jf-x5ug-jqcq" }, { "vulnerability": "VCID-sz98-t7z9-bqea" }, { "vulnerability": "VCID-v2m6-n5w2-wfc5" }, { "vulnerability": "VCID-vns7-ssd1-8bhe" }, { "vulnerability": "VCID-y6j7-eetd-pkfh" }, { "vulnerability": "VCID-ygy4-xzjr-2fdc" }, { "vulnerability": "VCID-yu4n-aq57-67g5" }, { "vulnerability": "VCID-yync-gs3f-nyax" }, { "vulnerability": "VCID-z6uu-5bdh-pud4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.5.0" } ], "aliases": [ "CVE-2019-18835", "GHSA-cppw-2mf8-qpm5", "PYSEC-2019-186" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hjuv-5rpx-hfe3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/43400?format=api", "vulnerability_id": "VCID-hqwh-2un3-bqd8", "summary": "Synapse is an open-source Matrix homeserver. Synapse versions before 1.120.1 fail to properly validate invites received over federation. This vulnerability allows a malicious server to send a specially crafted invite that disrupts the invited user's /sync functionality. Synapse 1.120.1 rejects such invalid invites received over federation and restores the ability to sync for affected users.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-52815", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00353", "scoring_system": "epss", "scoring_elements": "0.58194", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00353", "scoring_system": "epss", "scoring_elements": "0.58198", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00353", "scoring_system": "epss", "scoring_elements": "0.5808", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00353", "scoring_system": "epss", "scoring_elements": "0.5821", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-52815" }, { "reference_url": "https://github.com/element-hq/synapse", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/element-hq/synapse" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52815", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52815" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088995", "reference_id": "1088995", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088995" }, { "reference_url": "https://github.com/advisories/GHSA-f3r3-h2mq-hx2h", "reference_id": "GHSA-f3r3-h2mq-hx2h", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-f3r3-h2mq-hx2h" }, { "reference_url": "https://github.com/element-hq/synapse/security/advisories/GHSA-f3r3-h2mq-hx2h", "reference_id": "GHSA-f3r3-h2mq-hx2h", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-12-03T19:05:32Z/" } ], "url": "https://github.com/element-hq/synapse/security/advisories/GHSA-f3r3-h2mq-hx2h" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/372296?format=api", "purl": "pkg:pypi/matrix-synapse@1.120.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.120.1" } ], "aliases": [ "CVE-2024-52815", "GHSA-f3r3-h2mq-hx2h" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hqwh-2un3-bqd8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/218126?format=api", "vulnerability_id": "VCID-j879-8928-yyh8", "summary": "Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identifiers could cause excessive use of disk space and memory leading to resource exhaustion. Note that the groups feature is not part of the Matrix specification and the chosen maximum lengths are arbitrary. Not all clients might abide by them. Refer to referenced GitHub security advisory for additional details including workarounds.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21393", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00548", "scoring_system": "epss", "scoring_elements": "0.68353", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00548", "scoring_system": "epss", "scoring_elements": "0.68442", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00548", "scoring_system": "epss", "scoring_elements": "0.68455", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00548", "scoring_system": "epss", "scoring_elements": "0.6845", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21393" }, { "reference_url": "https://github.com/matrix-org/synapse", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse" }, { "reference_url": "https://github.com/matrix-org/synapse/commit/3f58fc848d0002de4605bed91603a1f9f245d128", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/commit/3f58fc848d0002de4605bed91603a1f9f245d128" }, { "reference_url": "https://github.com/matrix-org/synapse/commit/d2f0ec12d5c8f113095408888e87e191ac546499", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/commit/d2f0ec12d5c8f113095408888e87e191ac546499" }, { "reference_url": "https://github.com/matrix-org/synapse/pull/9321", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/pull/9321" }, { "reference_url": "https://github.com/matrix-org/synapse/pull/9393", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/pull/9393" }, { "reference_url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-jrh7-mhhx-6h88", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-jrh7-mhhx-6h88" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-26.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-26.yaml" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21393", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21393" }, { "reference_url": "https://pypi.org/project/matrix-synapse", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://pypi.org/project/matrix-synapse" }, { "reference_url": "https://pypi.org/project/matrix-synapse/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://pypi.org/project/matrix-synapse/" }, { "reference_url": "https://github.com/advisories/GHSA-jrh7-mhhx-6h88", "reference_id": "GHSA-jrh7-mhhx-6h88", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-jrh7-mhhx-6h88" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/64060?format=api", "purl": "pkg:pypi/matrix-synapse@1.28.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1xwm-33sy-3qfv" }, { "vulnerability": "VCID-27ht-47d2-77f6" }, { "vulnerability": "VCID-2ctw-4fy5-4ufd" }, { "vulnerability": "VCID-3ngy-dt6j-tuef" }, { "vulnerability": "VCID-5h97-3s9w-c3ab" }, { "vulnerability": "VCID-7v7h-zrjj-pkh3" }, { "vulnerability": "VCID-86br-xun2-gudx" }, { "vulnerability": "VCID-8974-zsm2-ybbv" }, { "vulnerability": "VCID-8n5g-1zby-77gj" }, { "vulnerability": "VCID-9uhc-e3bj-nqg7" }, { "vulnerability": "VCID-b2u5-56b4-63ae" }, { "vulnerability": "VCID-bkk8-srvr-pqfj" }, { "vulnerability": "VCID-c1vt-9j6a-b7cr" }, { "vulnerability": "VCID-dux1-nmrm-xqa1" }, { "vulnerability": "VCID-g8ff-1859-ekhm" }, { "vulnerability": "VCID-hqwh-2un3-bqd8" }, { "vulnerability": "VCID-n8mv-4upg-hfa3" }, { "vulnerability": "VCID-p9ck-pwqp-qyc7" }, { "vulnerability": "VCID-rcdd-qkxt-nuez" }, { "vulnerability": "VCID-s1jf-x5ug-jqcq" }, { "vulnerability": "VCID-sz98-t7z9-bqea" }, { "vulnerability": "VCID-vns7-ssd1-8bhe" }, { "vulnerability": "VCID-y6j7-eetd-pkfh" }, { "vulnerability": "VCID-yync-gs3f-nyax" }, { "vulnerability": "VCID-z6uu-5bdh-pud4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.28.0" } ], "aliases": [ "CVE-2021-21393", "GHSA-jrh7-mhhx-6h88", "PYSEC-2021-26" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-j879-8928-yyh8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/70007?format=api", "vulnerability_id": "VCID-n8mv-4upg-hfa3", "summary": "Synapse is an open source Matrix homeserver implementation. Prior to 1.152.1, local authenticated users can cause Synapse to starve other requests of CPU and lead to other requests failing, causing other users to be denied service. This vulnerability is fixed in 1.152.1.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-45078", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02901", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.0289", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02895", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02905", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-45078" }, { "reference_url": "https://github.com/element-hq/synapse", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/element-hq/synapse" }, { "reference_url": "https://github.com/element-hq/synapse/commit/3f58bc50dfba5768ee43ce48c5e74c25ba0b078a", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/element-hq/synapse/commit/3f58bc50dfba5768ee43ce48c5e74c25ba0b078a" }, { "reference_url": "https://github.com/element-hq/synapse/issues/19394", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/element-hq/synapse/issues/19394" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2026-191.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2026-191.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45078", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45078" }, { "reference_url": "https://github.com/advisories/GHSA-8q93-326v-3m7g", "reference_id": "GHSA-8q93-326v-3m7g", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8q93-326v-3m7g" }, { "reference_url": "https://github.com/element-hq/synapse/security/advisories/GHSA-8q93-326v-3m7g", "reference_id": "GHSA-8q93-326v-3m7g", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-29T15:31:35Z/" } ], "url": "https://github.com/element-hq/synapse/security/advisories/GHSA-8q93-326v-3m7g" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/93940?format=api", "purl": "pkg:pypi/matrix-synapse@1.152.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.152.1" } ], "aliases": [ "CVE-2026-45078", "CVE-2026-45078,", "GHSA-8q93-326v-3m7g", "PYSEC-2026-191" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-n8mv-4upg-hfa3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/143114?format=api", "vulnerability_id": "VCID-p9ck-pwqp-qyc7", "summary": "Synapse is a Matrix protocol homeserver written in Python with the Twisted framework. A discovered oEmbed or image URL can bypass the `url_preview_url_blacklist` setting potentially allowing server side request forgery or bypassing network policies. Impact is limited to IP addresses allowed by the `url_preview_ip_range_blacklist` setting (by default this only allows public IPs) and by the limited information returned to the client: 1. For discovered oEmbed URLs, any non-JSON response or a JSON response which includes non-oEmbed information is discarded. 2. For discovered image URLs, any non-image response is discarded. Systems which have URL preview disabled (via the `url_preview_enabled` setting) or have not configured a `url_preview_url_blacklist` are not affected. This issue has been addressed in version 1.85.0. Users are advised to upgrade. User unable to upgrade may also disable URL previews.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-32683", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00349", "scoring_system": "epss", "scoring_elements": "0.57935", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00349", "scoring_system": "epss", "scoring_elements": "0.57818", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00349", "scoring_system": "epss", "scoring_elements": "0.57945", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00349", "scoring_system": "epss", "scoring_elements": "0.5793", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-32683" }, { "reference_url": "https://github.com/matrix-org/synapse", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse" }, { "reference_url": "https://github.com/matrix-org/synapse/releases/tag/v1.85.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/releases/tag/v1.85.0" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2023-85.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2023-85.yaml" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6DH5A5YEB5LRIPP32OUW25FCGZFCZU2", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6DH5A5YEB5LRIPP32OUW25FCGZFCZU2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32683", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32683" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037207", "reference_id": "1037207", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037207" }, { "reference_url": "https://github.com/matrix-org/synapse/pull/15601", "reference_id": "15601", "reference_type": "", "scores": [ { "value": "3.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-07T16:25:39Z/" } ], "url": "https://github.com/matrix-org/synapse/pull/15601" }, { "reference_url": "https://github.com/advisories/GHSA-98px-6486-j7qc", "reference_id": "GHSA-98px-6486-j7qc", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-98px-6486-j7qc" }, { "reference_url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-98px-6486-j7qc", "reference_id": "GHSA-98px-6486-j7qc", "reference_type": "", "scores": [ { "value": "3.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-07T16:25:39Z/" } ], "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-98px-6486-j7qc" }, { "reference_url": "https://usn.ubuntu.com/7444-1/", "reference_id": "USN-7444-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7444-1/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6DH5A5YEB5LRIPP32OUW25FCGZFCZU2/", "reference_id": "X6DH5A5YEB5LRIPP32OUW25FCGZFCZU2", "reference_type": "", "scores": [ { "value": "3.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-07T16:25:39Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6DH5A5YEB5LRIPP32OUW25FCGZFCZU2/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/76283?format=api", "purl": "pkg:pypi/matrix-synapse@1.85.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1xwm-33sy-3qfv" }, { "vulnerability": "VCID-2ctw-4fy5-4ufd" }, { "vulnerability": "VCID-3ngy-dt6j-tuef" }, { "vulnerability": "VCID-5h97-3s9w-c3ab" }, { "vulnerability": "VCID-7v7h-zrjj-pkh3" }, { "vulnerability": "VCID-c1vt-9j6a-b7cr" }, { "vulnerability": "VCID-hqwh-2un3-bqd8" }, { "vulnerability": "VCID-husr-u735-97hh" }, { "vulnerability": "VCID-n8mv-4upg-hfa3" }, { "vulnerability": "VCID-rcdd-qkxt-nuez" }, { "vulnerability": "VCID-s1jf-x5ug-jqcq" }, { "vulnerability": "VCID-y6j7-eetd-pkfh" }, { "vulnerability": "VCID-yync-gs3f-nyax" }, { "vulnerability": "VCID-z6uu-5bdh-pud4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.85.0" } ], "aliases": [ "CVE-2023-32683", "GHSA-98px-6486-j7qc", "PYSEC-2023-85" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-p9ck-pwqp-qyc7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/44672?format=api", "vulnerability_id": "VCID-rcdd-qkxt-nuez", "summary": "Synapse is an open-source Matrix homeserver. In Synapse versions before 1.120.1, enabling the dynamic_thumbnails option or processing a specially crafted request could trigger the decoding and thumbnail generation of uncommon image formats, potentially invoking external tools like Ghostscript for processing. This significantly expands the attack surface in a historically vulnerable area, presenting a risk that far outweighs the benefit, particularly since these formats are rarely used on the open web or within the Matrix ecosystem. Synapse 1.120.1 addresses the issue by restricting thumbnail generation to images in the following widely used formats: PNG, JPEG, GIF, and WebP. This vulnerability is fixed in 1.120.1.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-53863", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00962", "scoring_system": "epss", "scoring_elements": "0.76998", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00962", "scoring_system": "epss", "scoring_elements": "0.77006", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00962", "scoring_system": "epss", "scoring_elements": "0.76926", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00962", "scoring_system": "epss", "scoring_elements": "0.77013", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-53863" }, { "reference_url": "https://github.com/element-hq/synapse", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/element-hq/synapse" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53863", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53863" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088995", "reference_id": "1088995", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088995" }, { "reference_url": "https://github.com/advisories/GHSA-vp6v-whfm-rv3g", "reference_id": "GHSA-vp6v-whfm-rv3g", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vp6v-whfm-rv3g" }, { "reference_url": "https://github.com/element-hq/synapse/security/advisories/GHSA-vp6v-whfm-rv3g", "reference_id": "GHSA-vp6v-whfm-rv3g", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-12-03T19:07:32Z/" } ], "url": "https://github.com/element-hq/synapse/security/advisories/GHSA-vp6v-whfm-rv3g" }, { "reference_url": "https://usn.ubuntu.com/7444-1/", "reference_id": "USN-7444-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7444-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/372296?format=api", "purl": "pkg:pypi/matrix-synapse@1.120.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.120.1" } ], "aliases": [ "CVE-2024-53863", "GHSA-vp6v-whfm-rv3g" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rcdd-qkxt-nuez" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/43596?format=api", "vulnerability_id": "VCID-s1jf-x5ug-jqcq", "summary": "Synapse is an open-source Matrix homeserver. In Synapse before 1.120.1, multipart/form-data requests can in certain configurations transiently increase memory consumption beyond expected levels while processing the request, which can be used to amplify denial of service attacks. Synapse 1.120.1 resolves the issue by denying requests with unsupported multipart/form-data content type.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-52805", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01089", "scoring_system": "epss", "scoring_elements": "0.78418", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.01089", "scoring_system": "epss", "scoring_elements": "0.78422", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.01089", "scoring_system": "epss", "scoring_elements": "0.78408", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.01089", "scoring_system": "epss", "scoring_elements": "0.7834", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-52805" }, { "reference_url": "https://github.com/element-hq/synapse", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/element-hq/synapse" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52805", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52805" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088995", "reference_id": "1088995", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088995" }, { "reference_url": "https://github.com/twisted/twisted/issues/4688#issuecomment-1167705518", "reference_id": "4688#issuecomment-1167705518", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-12-03T19:04:05Z/" } ], "url": "https://github.com/twisted/twisted/issues/4688#issuecomment-1167705518" }, { "reference_url": "https://github.com/twisted/twisted/issues/4688#issuecomment-2385711609", "reference_id": "4688#issuecomment-2385711609", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-12-03T19:04:05Z/" } ], "url": "https://github.com/twisted/twisted/issues/4688#issuecomment-2385711609" }, { "reference_url": "https://github.com/advisories/GHSA-rfq8-j7rh-8hf2", "reference_id": "GHSA-rfq8-j7rh-8hf2", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-rfq8-j7rh-8hf2" }, { "reference_url": "https://github.com/element-hq/synapse/security/advisories/GHSA-rfq8-j7rh-8hf2", "reference_id": "GHSA-rfq8-j7rh-8hf2", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-12-03T19:04:05Z/" } ], "url": "https://github.com/element-hq/synapse/security/advisories/GHSA-rfq8-j7rh-8hf2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/372296?format=api", "purl": "pkg:pypi/matrix-synapse@1.120.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.120.1" } ], "aliases": [ "CVE-2024-52805", "GHSA-rfq8-j7rh-8hf2" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-s1jf-x5ug-jqcq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/172142?format=api", "vulnerability_id": "VCID-sz98-t7z9-bqea", "summary": "Synapse before 1.52.0 with URL preview functionality enabled will attempt to generate URL previews for media stream URLs without properly limiting connection time. Connections will only be terminated after `max_spider_size` (default: 10M) bytes have been downloaded, which can in some cases lead to long-lived connections towards the streaming media server (for instance, Icecast). This can cause excessive traffic and connections toward such servers if their stream URL is, for example, posted to a large room with many Synapse instances with URL preview enabled. Version 1.52.0 implements a timeout mechanism which will terminate URL preview connections after 30 seconds. Since generating URL previews for media streams is not supported and always fails, 1.53.0 additionally implements an allow list for content types for which Synapse will even attempt to generate a URL preview. Upgrade to 1.53.0 to fully resolve the issue. As a workaround, turn off URL preview functionality by setting `url_preview_enabled: false` in the Synapse configuration file.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-41952", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00552", "scoring_system": "epss", "scoring_elements": "0.68572", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00552", "scoring_system": "epss", "scoring_elements": "0.68564", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00552", "scoring_system": "epss", "scoring_elements": "0.68578", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00552", "scoring_system": "epss", "scoring_elements": "0.68476", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-41952" }, { "reference_url": "https://github.com/matrix-org/synapse", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse" }, { "reference_url": "https://github.com/matrix-org/synapse/pull/11784", "reference_id": "11784", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:48:47Z/" } ], "url": "https://github.com/matrix-org/synapse/pull/11784" }, { "reference_url": "https://github.com/matrix-org/synapse/pull/11936", "reference_id": "11936", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:48:47Z/" } ], "url": "https://github.com/matrix-org/synapse/pull/11936" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41952", "reference_id": "CVE-2022-41952", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41952" }, { "reference_url": "https://github.com/advisories/GHSA-4822-jvwx-w47h", "reference_id": "GHSA-4822-jvwx-w47h", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4822-jvwx-w47h" }, { "reference_url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-4822-jvwx-w47h", "reference_id": "GHSA-4822-jvwx-w47h", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:48:47Z/" } ], "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-4822-jvwx-w47h" }, { "reference_url": "https://github.com/matrix-org/synapse/releases/tag/v1.52.0", "reference_id": "v1.52.0", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:48:47Z/" } ], "url": "https://github.com/matrix-org/synapse/releases/tag/v1.52.0" }, { "reference_url": "https://github.com/matrix-org/synapse/releases/tag/v1.53.0", "reference_id": "v1.53.0", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:48:47Z/" } ], "url": "https://github.com/matrix-org/synapse/releases/tag/v1.53.0" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/19990?format=api", "purl": "pkg:pypi/matrix-synapse@1.53.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1xwm-33sy-3qfv" }, { "vulnerability": "VCID-27ht-47d2-77f6" }, { "vulnerability": "VCID-2ctw-4fy5-4ufd" }, { "vulnerability": "VCID-3ngy-dt6j-tuef" }, { "vulnerability": "VCID-5h97-3s9w-c3ab" }, { "vulnerability": "VCID-7v7h-zrjj-pkh3" }, { "vulnerability": "VCID-8n5g-1zby-77gj" }, { "vulnerability": "VCID-9uhc-e3bj-nqg7" }, { "vulnerability": "VCID-bkk8-srvr-pqfj" }, { "vulnerability": "VCID-c1vt-9j6a-b7cr" }, { "vulnerability": "VCID-g8ff-1859-ekhm" }, { "vulnerability": "VCID-hqwh-2un3-bqd8" }, { "vulnerability": "VCID-n8mv-4upg-hfa3" }, { "vulnerability": "VCID-p9ck-pwqp-qyc7" }, { "vulnerability": "VCID-rcdd-qkxt-nuez" }, { "vulnerability": "VCID-s1jf-x5ug-jqcq" }, { "vulnerability": "VCID-y6j7-eetd-pkfh" }, { "vulnerability": "VCID-yync-gs3f-nyax" }, { "vulnerability": "VCID-z6uu-5bdh-pud4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.53.0" } ], "aliases": [ "CVE-2022-41952", "GHSA-4822-jvwx-w47h", "GMS-2022-624" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-sz98-t7z9-bqea" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/218120?format=api", "vulnerability_id": "VCID-v2m6-n5w2-wfc5", "summary": "Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.27.0, the password reset endpoint served via Synapse was vulnerable to cross-site scripting (XSS) attacks. The impact depends on the configuration of the domain that Synapse is deployed on, but may allow access to cookies and other browser data, CSRF vulnerabilities, and access to other resources served on the same domain or parent domains. This is fixed in version 1.27.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21332", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00505", "scoring_system": "epss", "scoring_elements": "0.66642", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00505", "scoring_system": "epss", "scoring_elements": "0.66735", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00505", "scoring_system": "epss", "scoring_elements": "0.66748", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00505", "scoring_system": "epss", "scoring_elements": "0.66747", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21332" }, { "reference_url": "https://github.com/matrix-org/synapse", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse" }, { "reference_url": "https://github.com/matrix-org/synapse/commit/e54746bdf7d5c831eabe4dcea76a7626f1de73df", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/commit/e54746bdf7d5c831eabe4dcea76a7626f1de73df" }, { "reference_url": "https://github.com/matrix-org/synapse/pull/9200", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/pull/9200" }, { "reference_url": "https://github.com/matrix-org/synapse/releases/tag/v1.27.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/releases/tag/v1.27.0" }, { "reference_url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-246w-56m2-5899", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-246w-56m2-5899" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-133.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-133.yaml" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21332", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21332" }, { "reference_url": "https://github.com/advisories/GHSA-246w-56m2-5899", "reference_id": "GHSA-246w-56m2-5899", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-246w-56m2-5899" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/63036?format=api", "purl": "pkg:pypi/matrix-synapse@1.27.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1xwm-33sy-3qfv" }, { "vulnerability": "VCID-27ht-47d2-77f6" }, { "vulnerability": "VCID-2ctw-4fy5-4ufd" }, { "vulnerability": "VCID-3ngy-dt6j-tuef" }, { "vulnerability": "VCID-4kph-6snj-huhk" }, { "vulnerability": "VCID-5h97-3s9w-c3ab" }, { "vulnerability": "VCID-7v7h-zrjj-pkh3" }, { "vulnerability": "VCID-86br-xun2-gudx" }, { "vulnerability": "VCID-8974-zsm2-ybbv" }, { "vulnerability": "VCID-8n5g-1zby-77gj" }, { "vulnerability": "VCID-9uhc-e3bj-nqg7" }, { "vulnerability": "VCID-b2u5-56b4-63ae" }, { "vulnerability": "VCID-bkk8-srvr-pqfj" }, { "vulnerability": "VCID-c1vt-9j6a-b7cr" }, { "vulnerability": "VCID-cjar-y1hc-4ybu" }, { "vulnerability": "VCID-dux1-nmrm-xqa1" }, { "vulnerability": "VCID-g8ff-1859-ekhm" }, { "vulnerability": "VCID-hqwh-2un3-bqd8" }, { "vulnerability": "VCID-j879-8928-yyh8" }, { "vulnerability": "VCID-n8mv-4upg-hfa3" }, { "vulnerability": "VCID-p9ck-pwqp-qyc7" }, { "vulnerability": "VCID-rcdd-qkxt-nuez" }, { "vulnerability": "VCID-s1jf-x5ug-jqcq" }, { "vulnerability": "VCID-sz98-t7z9-bqea" }, { "vulnerability": "VCID-vns7-ssd1-8bhe" }, { "vulnerability": "VCID-y6j7-eetd-pkfh" }, { "vulnerability": "VCID-yync-gs3f-nyax" }, { "vulnerability": "VCID-z6uu-5bdh-pud4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.27.0" } ], "aliases": [ "CVE-2021-21332", "GHSA-246w-56m2-5899", "PYSEC-2021-133" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-v2m6-n5w2-wfc5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/197597?format=api", "vulnerability_id": "VCID-vns7-ssd1-8bhe", "summary": "information disclosure", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39163", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.002", "scoring_system": "epss", "scoring_elements": "0.42165", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.002", "scoring_system": "epss", "scoring_elements": "0.42002", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.002", "scoring_system": "epss", "scoring_elements": "0.42177", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.002", "scoring_system": "epss", "scoring_elements": "0.42187", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39163" }, { "reference_url": "https://github.com/matrix-org/synapse", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse" }, { "reference_url": "https://github.com/matrix-org/synapse/commit/cb35df940a", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/commit/cb35df940a" }, { "reference_url": "https://github.com/matrix-org/synapse/releases/tag/v1.41.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/releases/tag/v1.41.1" }, { "reference_url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-jj53-8fmw-f2w2", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-jj53-8fmw-f2w2" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-424.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-424.yaml" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2VHDEPCZ22GJFMZCWA2XZAGPOEV72POF", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2VHDEPCZ22GJFMZCWA2XZAGPOEV72POF" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2VHDEPCZ22GJFMZCWA2XZAGPOEV72POF/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2VHDEPCZ22GJFMZCWA2XZAGPOEV72POF/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PXT7ID7DNBRN2TVTETU3SYQHJKEG6PXN", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PXT7ID7DNBRN2TVTETU3SYQHJKEG6PXN" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PXT7ID7DNBRN2TVTETU3SYQHJKEG6PXN/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PXT7ID7DNBRN2TVTETU3SYQHJKEG6PXN/" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39163", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39163" }, { "reference_url": "https://security.archlinux.org/AVG-2334", "reference_id": "AVG-2334", "reference_type": "", "scores": [ { "value": "Medium", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2334" }, { "reference_url": "https://github.com/advisories/GHSA-jj53-8fmw-f2w2", "reference_id": "GHSA-jj53-8fmw-f2w2", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-jj53-8fmw-f2w2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/66121?format=api", "purl": "pkg:pypi/matrix-synapse@1.41.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1xwm-33sy-3qfv" }, { "vulnerability": "VCID-27ht-47d2-77f6" }, { "vulnerability": "VCID-2ctw-4fy5-4ufd" }, { "vulnerability": "VCID-3ngy-dt6j-tuef" }, { "vulnerability": "VCID-5h97-3s9w-c3ab" }, { "vulnerability": "VCID-7v7h-zrjj-pkh3" }, { "vulnerability": "VCID-8n5g-1zby-77gj" }, { "vulnerability": "VCID-9uhc-e3bj-nqg7" }, { "vulnerability": "VCID-b2u5-56b4-63ae" }, { "vulnerability": "VCID-bkk8-srvr-pqfj" }, { "vulnerability": "VCID-c1vt-9j6a-b7cr" }, { "vulnerability": "VCID-g8ff-1859-ekhm" }, { "vulnerability": "VCID-hqwh-2un3-bqd8" }, { "vulnerability": "VCID-n8mv-4upg-hfa3" }, { "vulnerability": "VCID-p9ck-pwqp-qyc7" }, { "vulnerability": "VCID-rcdd-qkxt-nuez" }, { "vulnerability": "VCID-s1jf-x5ug-jqcq" }, { "vulnerability": "VCID-sz98-t7z9-bqea" }, { "vulnerability": "VCID-y6j7-eetd-pkfh" }, { "vulnerability": "VCID-yync-gs3f-nyax" }, { "vulnerability": "VCID-z6uu-5bdh-pud4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.41.1" } ], "aliases": [ "CVE-2021-39163", "GHSA-jj53-8fmw-f2w2", "PYSEC-2021-424" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vns7-ssd1-8bhe" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/127905?format=api", "vulnerability_id": "VCID-y6j7-eetd-pkfh", "summary": "Synapse is an open source Matrix homeserver implementation. Lack of validation for device keys in Synapse before 1.138.3 and in Synapse 1.139.0 allow an attacker registered on the victim homeserver to degrade federation functionality, unpredictably breaking outbound federation to other homeservers. The issue is patched in Synapse 1.138.3, 1.138.4, 1.139.1, and 1.139.2. Note that even though 1.138.3 and 1.139.1 fix the vulnerability, they inadvertently introduced an unrelated regression. For this reason, the maintainers of Synapse recommend skipping these releases and upgrading straight to 1.138.4 and 1.139.2.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61672.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61672.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-61672", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00046", "scoring_system": "epss", "scoring_elements": "0.14801", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00046", "scoring_system": "epss", "scoring_elements": "0.14679", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.16114", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.16148", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-61672" }, { "reference_url": "https://github.com/element-hq/synapse", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/element-hq/synapse" }, { "reference_url": "https://github.com/element-hq/synapse/releases/tag/v1.138.4", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/element-hq/synapse/releases/tag/v1.138.4" }, { "reference_url": "https://github.com/element-hq/synapse/releases/tag/v1.139.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/element-hq/synapse/releases/tag/v1.139.2" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117854", "reference_id": "1117854", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117854" }, { "reference_url": "https://github.com/element-hq/synapse/pull/17097", "reference_id": "17097", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-15T16:10:58Z/" } ], "url": "https://github.com/element-hq/synapse/pull/17097" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2402525", "reference_id": "2402525", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2402525" }, { "reference_url": "https://github.com/element-hq/synapse/commit/26aaaf9e48fff80cf67a20c691c75d670034b3c1", "reference_id": "26aaaf9e48fff80cf67a20c691c75d670034b3c1", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-15T16:10:58Z/" } ], "url": "https://github.com/element-hq/synapse/commit/26aaaf9e48fff80cf67a20c691c75d670034b3c1" }, { "reference_url": "https://github.com/element-hq/synapse/commit/7069636c2d6d1ef2022287addf3ed8b919ef2740", "reference_id": "7069636c2d6d1ef2022287addf3ed8b919ef2740", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-15T16:10:58Z/" } ], "url": "https://github.com/element-hq/synapse/commit/7069636c2d6d1ef2022287addf3ed8b919ef2740" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61672", "reference_id": "CVE-2025-61672", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61672" }, { "reference_url": "https://github.com/advisories/GHSA-fh66-fcv5-jjfr", "reference_id": "GHSA-fh66-fcv5-jjfr", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-fh66-fcv5-jjfr" }, { "reference_url": "https://github.com/element-hq/synapse/security/advisories/GHSA-fh66-fcv5-jjfr", "reference_id": "GHSA-fh66-fcv5-jjfr", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-15T16:10:58Z/" } ], "url": "https://github.com/element-hq/synapse/security/advisories/GHSA-fh66-fcv5-jjfr" }, { "reference_url": "https://github.com/element-hq/synapse/releases/tag/v1.138.3", "reference_id": "v1.138.3", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-15T16:10:58Z/" } ], "url": "https://github.com/element-hq/synapse/releases/tag/v1.138.3" }, { "reference_url": "https://github.com/element-hq/synapse/releases/tag/v1.139.1", "reference_id": "v1.139.1", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-15T16:10:58Z/" } ], "url": "https://github.com/element-hq/synapse/releases/tag/v1.139.1" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/34136?format=api", "purl": "pkg:pypi/matrix-synapse@1.138.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1xwm-33sy-3qfv" }, { "vulnerability": "VCID-n8mv-4upg-hfa3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.138.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/34138?format=api", "purl": "pkg:pypi/matrix-synapse@1.139.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1xwm-33sy-3qfv" }, { "vulnerability": "VCID-n8mv-4upg-hfa3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.139.1" } ], "aliases": [ "CVE-2025-61672", "GHSA-fh66-fcv5-jjfr" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-y6j7-eetd-pkfh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/197316?format=api", "vulnerability_id": "VCID-ygy4-xzjr-2fdc", "summary": "cross-site scripting", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-26891", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00439", "scoring_system": "epss", "scoring_elements": "0.63705", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00439", "scoring_system": "epss", "scoring_elements": "0.63591", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00439", "scoring_system": "epss", "scoring_elements": "0.63708", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00439", "scoring_system": "epss", "scoring_elements": "0.63693", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-26891" }, { "reference_url": "https://github.com/matrix-org/synapse", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse" }, { "reference_url": "https://github.com/matrix-org/synapse/pull/8444", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/pull/8444" }, { "reference_url": "https://github.com/matrix-org/synapse/releases", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/releases" }, { "reference_url": "https://github.com/matrix-org/synapse/releases/tag/v1.21.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/releases/tag/v1.21.2" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2020-238.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2020-238.yaml" }, { "reference_url": "https://matrix.org/blog/2020/10/15/synapse-1-21-2-released-and-security-advisory", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://matrix.org/blog/2020/10/15/synapse-1-21-2-released-and-security-advisory" }, { "reference_url": "https://security.archlinux.org/ASA-202011-4", "reference_id": "ASA-202011-4", "reference_type": "", "scores": [], "url": "https://security.archlinux.org/ASA-202011-4" }, { "reference_url": "https://security.archlinux.org/AVG-1252", "reference_id": "AVG-1252", "reference_type": "", "scores": [ { "value": "High", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-1252" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26891", "reference_id": "CVE-2020-26891", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26891" }, { "reference_url": "https://github.com/advisories/GHSA-3x8c-fmpc-5rmq", "reference_id": "GHSA-3x8c-fmpc-5rmq", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3x8c-fmpc-5rmq" }, { "reference_url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-3x8c-fmpc-5rmq", "reference_id": "GHSA-3x8c-fmpc-5rmq", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-3x8c-fmpc-5rmq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/17913?format=api", "purl": "pkg:pypi/matrix-synapse@1.21.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1xwm-33sy-3qfv" }, { "vulnerability": "VCID-27ht-47d2-77f6" }, { "vulnerability": "VCID-2ctw-4fy5-4ufd" }, { "vulnerability": "VCID-2du1-3n24-rbgx" }, { "vulnerability": "VCID-3ngy-dt6j-tuef" }, { "vulnerability": "VCID-4kph-6snj-huhk" }, { "vulnerability": "VCID-5h97-3s9w-c3ab" }, { "vulnerability": "VCID-6a8s-n8vb-hker" }, { "vulnerability": "VCID-7v7h-zrjj-pkh3" }, { "vulnerability": "VCID-86br-xun2-gudx" }, { "vulnerability": "VCID-8974-zsm2-ybbv" }, { "vulnerability": "VCID-8n5g-1zby-77gj" }, { "vulnerability": "VCID-9uhc-e3bj-nqg7" }, { "vulnerability": "VCID-ahwq-36cc-pqhn" }, { "vulnerability": "VCID-b2u5-56b4-63ae" }, { "vulnerability": "VCID-bkk8-srvr-pqfj" }, { "vulnerability": "VCID-c1vt-9j6a-b7cr" }, { "vulnerability": "VCID-cjar-y1hc-4ybu" }, { "vulnerability": "VCID-dux1-nmrm-xqa1" }, { "vulnerability": "VCID-g8ff-1859-ekhm" }, { "vulnerability": "VCID-hqwh-2un3-bqd8" }, { "vulnerability": "VCID-j879-8928-yyh8" }, { "vulnerability": "VCID-n8mv-4upg-hfa3" }, { "vulnerability": "VCID-p9ck-pwqp-qyc7" }, { "vulnerability": "VCID-rcdd-qkxt-nuez" }, { "vulnerability": "VCID-s1jf-x5ug-jqcq" }, { "vulnerability": "VCID-sz98-t7z9-bqea" }, { "vulnerability": "VCID-v2m6-n5w2-wfc5" }, { "vulnerability": "VCID-vns7-ssd1-8bhe" }, { "vulnerability": "VCID-y6j7-eetd-pkfh" }, { "vulnerability": "VCID-yu4n-aq57-67g5" }, { "vulnerability": "VCID-yync-gs3f-nyax" }, { "vulnerability": "VCID-z6uu-5bdh-pud4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.21.0" } ], "aliases": [ "CVE-2020-26891", "GHSA-3x8c-fmpc-5rmq", "PYSEC-2020-238" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ygy4-xzjr-2fdc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/218119?format=api", "vulnerability_id": "VCID-yu4n-aq57-67g5", "summary": "Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.27.0, the notification emails sent for notifications for missed messages or for an expiring account are subject to HTML injection. In the case of the notification for missed messages, this could allow an attacker to insert forged content into the email. The account expiry feature is not enabled by default and the HTML injection is not controllable by an attacker. This is fixed in version 1.27.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21333", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00385", "scoring_system": "epss", "scoring_elements": "0.60129", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00385", "scoring_system": "epss", "scoring_elements": "0.60236", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00385", "scoring_system": "epss", "scoring_elements": "0.60246", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00385", "scoring_system": "epss", "scoring_elements": "0.6024", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21333" }, { "reference_url": "https://github.com/matrix-org/synapse", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse" }, { "reference_url": "https://github.com/matrix-org/synapse/commit/e54746bdf7d5c831eabe4dcea76a7626f1de73df", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/commit/e54746bdf7d5c831eabe4dcea76a7626f1de73df" }, { "reference_url": "https://github.com/matrix-org/synapse/pull/9200", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/pull/9200" }, { "reference_url": "https://github.com/matrix-org/synapse/releases/tag/v1.27.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/releases/tag/v1.27.0" }, { "reference_url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-c5f8-35qr-q4fm", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-c5f8-35qr-q4fm" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-134.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-134.yaml" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21333", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21333" }, { "reference_url": "https://github.com/advisories/GHSA-c5f8-35qr-q4fm", "reference_id": "GHSA-c5f8-35qr-q4fm", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-c5f8-35qr-q4fm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/63036?format=api", "purl": "pkg:pypi/matrix-synapse@1.27.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1xwm-33sy-3qfv" }, { "vulnerability": "VCID-27ht-47d2-77f6" }, { "vulnerability": "VCID-2ctw-4fy5-4ufd" }, { "vulnerability": "VCID-3ngy-dt6j-tuef" }, { "vulnerability": "VCID-4kph-6snj-huhk" }, { "vulnerability": "VCID-5h97-3s9w-c3ab" }, { "vulnerability": "VCID-7v7h-zrjj-pkh3" }, { "vulnerability": "VCID-86br-xun2-gudx" }, { "vulnerability": "VCID-8974-zsm2-ybbv" }, { "vulnerability": "VCID-8n5g-1zby-77gj" }, { "vulnerability": "VCID-9uhc-e3bj-nqg7" }, { "vulnerability": "VCID-b2u5-56b4-63ae" }, { "vulnerability": "VCID-bkk8-srvr-pqfj" }, { "vulnerability": "VCID-c1vt-9j6a-b7cr" }, { "vulnerability": "VCID-cjar-y1hc-4ybu" }, { "vulnerability": "VCID-dux1-nmrm-xqa1" }, { "vulnerability": "VCID-g8ff-1859-ekhm" }, { "vulnerability": "VCID-hqwh-2un3-bqd8" }, { "vulnerability": "VCID-j879-8928-yyh8" }, { "vulnerability": "VCID-n8mv-4upg-hfa3" }, { "vulnerability": "VCID-p9ck-pwqp-qyc7" }, { "vulnerability": "VCID-rcdd-qkxt-nuez" }, { "vulnerability": "VCID-s1jf-x5ug-jqcq" }, { "vulnerability": "VCID-sz98-t7z9-bqea" }, { "vulnerability": "VCID-vns7-ssd1-8bhe" }, { "vulnerability": "VCID-y6j7-eetd-pkfh" }, { "vulnerability": "VCID-yync-gs3f-nyax" }, { "vulnerability": "VCID-z6uu-5bdh-pud4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.27.0" } ], "aliases": [ "CVE-2021-21333", "GHSA-c5f8-35qr-q4fm", "PYSEC-2021-134" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-yu4n-aq57-67g5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/182399?format=api", "vulnerability_id": "VCID-yync-gs3f-nyax", "summary": "Multiple vulnerabilites have been found in Synapse, the worst of which could result in information leaks.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-45129.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-45129.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-45129", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00266", "scoring_system": "epss", "scoring_elements": "0.50513", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00266", "scoring_system": "epss", "scoring_elements": "0.5038", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00266", "scoring_system": "epss", "scoring_elements": "0.50518", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00266", "scoring_system": "epss", "scoring_elements": "0.50531", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-45129" }, { "reference_url": "https://github.com/matrix-org/synapse", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse" }, { "reference_url": "https://github.com/matrix-org/synapse/commit/f84da3c32ec74cf054e2fd6d10618aa4997cffaa", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/commit/f84da3c32ec74cf054e2fd6d10618aa4997cffaa" }, { "reference_url": "https://github.com/matrix-org/synapse/pull/16360", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/pull/16360" }, { "reference_url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-5chr-wjw5-3gq4", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-5chr-wjw5-3gq4" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2023-199.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2023-199.yaml" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KEVRB4MG5UXQ5RLZHSUJXM5GWEBYYS5B", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KEVRB4MG5UXQ5RLZHSUJXM5GWEBYYS5B" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N6P4QULVUE254WI7XF2LWWOGHCYVFXFY", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N6P4QULVUE254WI7XF2LWWOGHCYVFXFY" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WRO4MPQ6HOXIUZM6RJP6VTCTMV7RD2T3", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WRO4MPQ6HOXIUZM6RJP6VTCTMV7RD2T3" }, { "reference_url": "https://matrix-org.github.io/synapse/latest/admin_api/rooms.html#version-2-new-version", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://matrix-org.github.io/synapse/latest/admin_api/rooms.html#version-2-new-version" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45129", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45129" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2243128", "reference_id": "2243128", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2243128" }, { "reference_url": "https://github.com/advisories/GHSA-5chr-wjw5-3gq4", "reference_id": "GHSA-5chr-wjw5-3gq4", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5chr-wjw5-3gq4" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/79256?format=api", "purl": "pkg:pypi/matrix-synapse@1.94.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1xwm-33sy-3qfv" }, { "vulnerability": "VCID-2ctw-4fy5-4ufd" }, { "vulnerability": "VCID-3ngy-dt6j-tuef" }, { "vulnerability": "VCID-7v7h-zrjj-pkh3" }, { "vulnerability": "VCID-c1vt-9j6a-b7cr" }, { "vulnerability": "VCID-hqwh-2un3-bqd8" }, { "vulnerability": "VCID-n8mv-4upg-hfa3" }, { "vulnerability": "VCID-rcdd-qkxt-nuez" }, { "vulnerability": "VCID-s1jf-x5ug-jqcq" }, { "vulnerability": "VCID-y6j7-eetd-pkfh" }, { "vulnerability": "VCID-z6uu-5bdh-pud4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.94.0" } ], "aliases": [ "CVE-2023-45129", "GHSA-5chr-wjw5-3gq4", "PYSEC-2023-199" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-yync-gs3f-nyax" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/182398?format=api", "vulnerability_id": "VCID-z6uu-5bdh-pud4", "summary": "Multiple vulnerabilites have been found in Synapse, the worst of which could result in information leaks.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-43796", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00233", "scoring_system": "epss", "scoring_elements": "0.46465", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00233", "scoring_system": "epss", "scoring_elements": "0.46455", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00233", "scoring_system": "epss", "scoring_elements": "0.46309", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00233", "scoring_system": "epss", "scoring_elements": "0.46451", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-43796" }, { "reference_url": "https://github.com/matrix-org/synapse", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse" }, { "reference_url": "https://github.com/matrix-org/synapse/commit/daec55e1fe120c564240c5386e77941372bf458f", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/commit/daec55e1fe120c564240c5386e77941372bf458f" }, { "reference_url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-mp92-3jfm-3575", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-mp92-3jfm-3575" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2023-230.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2023-230.yaml" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2IDEEZMFJBDLTFHQUTZRJJNCOZGQ2ZVS", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2IDEEZMFJBDLTFHQUTZRJJNCOZGQ2ZVS" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VH3RNC5ZPQZ4OKPSL4E6BBJSZOQLGDEY", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VH3RNC5ZPQZ4OKPSL4E6BBJSZOQLGDEY" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43796", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43796" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055255", "reference_id": "1055255", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055255" }, { "reference_url": "https://github.com/advisories/GHSA-mp92-3jfm-3575", "reference_id": "GHSA-mp92-3jfm-3575", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mp92-3jfm-3575" }, { "reference_url": "https://usn.ubuntu.com/7444-1/", "reference_id": "USN-7444-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7444-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/80687?format=api", "purl": "pkg:pypi/matrix-synapse@1.95.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1xwm-33sy-3qfv" }, { "vulnerability": "VCID-2ctw-4fy5-4ufd" }, { "vulnerability": "VCID-3ngy-dt6j-tuef" }, { "vulnerability": "VCID-7v7h-zrjj-pkh3" }, { "vulnerability": "VCID-c1vt-9j6a-b7cr" }, { "vulnerability": "VCID-hqwh-2un3-bqd8" }, { "vulnerability": "VCID-n8mv-4upg-hfa3" }, { "vulnerability": "VCID-rcdd-qkxt-nuez" }, { "vulnerability": "VCID-s1jf-x5ug-jqcq" }, { "vulnerability": "VCID-y6j7-eetd-pkfh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.95.1" } ], "aliases": [ "CVE-2023-43796", "GHSA-mp92-3jfm-3575", "PYSEC-2023-230" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-z6uu-5bdh-pud4" } ], "fixing_vulnerabilities": [], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@0.99.2" }