{"url":"http://public2.vulnerablecode.io/api/packages/13101?format=json","purl":"pkg:pypi/matrix-synapse@0.33.9","type":"pypi","namespace":"","name":"matrix-synapse","version":"0.33.9","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":null,"latest_non_vulnerable_version":null,"affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36458?format=json","vulnerability_id":"VCID-2q41-366b-jfbs","summary":"Synapse is a Matrix protocol homeserver written in Python with the Twisted framework. A discovered oEmbed or image URL can bypass the `url_preview_url_blacklist` setting potentially allowing server side request forgery or bypassing network policies. Impact is limited to IP addresses allowed by the `url_preview_ip_range_blacklist` setting (by default this only allows public IPs) and by the limited information returned to the client: 1. For discovered oEmbed URLs, any non-JSON response or a JSON response which includes non-oEmbed information is discarded. 2. For discovered image URLs, any non-image response is discarded. Systems which have URL preview disabled (via the `url_preview_enabled` setting) or have not configured a `url_preview_url_blacklist` are not affected. This issue has been addressed in version 1.85.0. Users are advised to upgrade. User unable to upgrade may also disable URL previews.","references":[{"reference_url":"https://github.com/matrix-org/synapse","reference_id":"","reference_type":"","scores":[{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse"},{"reference_url":"https://github.com/matrix-org/synapse/pull/15601","reference_id":"","reference_type":"","scores":[{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/pull/15601"},{"reference_url":"https://github.com/matrix-org/synapse/releases/tag/v1.85.0","reference_id":"","reference_type":"","scores":[{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/releases/tag/v1.85.0"},{"reference_url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-98px-6486-j7qc","reference_id":"","reference_type":"","scores":[{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-98px-6486-j7qc"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2023-85.yaml","reference_id":"","reference_type":"","scores":[{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2023-85.yaml"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6DH5A5YEB5LRIPP32OUW25FCGZFCZU2","reference_id":"","reference_type":"","scores":[{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6DH5A5YEB5LRIPP32OUW25FCGZFCZU2"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037207","reference_id":"1037207","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037207"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-32683","reference_id":"CVE-2023-32683","reference_type":"","scores":[{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-32683"},{"reference_url":"https://github.com/advisories/GHSA-98px-6486-j7qc","reference_id":"GHSA-98px-6486-j7qc","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-98px-6486-j7qc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/33942?format=json","purl":"pkg:pypi/matrix-synapse@1.85.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4vve-jkk2-rueg"},{"vulnerability":"VCID-57xv-u1be-mfez"},{"vulnerability":"VCID-8zas-gnpp-3qfd"},{"vulnerability":"VCID-9t8r-dp58-xydr"},{"vulnerability":"VCID-ewxj-3jt9-p7af"},{"vulnerability":"VCID-mgxc-w86p-yqcm"},{"vulnerability":"VCID-w6fr-65fa-9yhb"},{"vulnerability":"VCID-z4xn-smp8-tfcj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.85.0"}],"aliases":["CVE-2023-32683","GHSA-98px-6486-j7qc","PYSEC-2023-85"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2q41-366b-jfbs"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36457?format=json","vulnerability_id":"VCID-2uq2-kcfr-87gr","summary":"Synapse is a Matrix protocol homeserver written in Python with the Twisted framework. In affected versions it may be possible for a deactivated user to login when using uncommon configurations. This only applies if any of the following are true: 1. JSON Web Tokens are enabled for login via the `jwt_config.enabled` configuration setting. 2. The local password database is enabled via the `password_config.enabled` and `password_config.localdb_enabled` configuration settings *and* a user's password is updated via an admin API after a user is deactivated. Note that the local password database is enabled by default, but it is uncommon to set a user's password after they've been deactivated. Installations that are configured to only allow login via Single Sign-On (SSO) via CAS, SAML or OpenID Connect (OIDC); or via an external password provider (e.g. LDAP) are not affected. If not using JSON Web Tokens, ensure that deactivated users do not have a password set. This issue has been addressed in version 1.85.0. Users are advised to upgrade.","references":[{"reference_url":"https://github.com/matrix-org/synapse","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse"},{"reference_url":"https://github.com/matrix-org/synapse/issues/12274","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/issues/12274"},{"reference_url":"https://github.com/matrix-org/synapse/pull/15624","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/pull/15624"},{"reference_url":"https://github.com/matrix-org/synapse/pull/15634","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/pull/15634"},{"reference_url":"https://github.com/matrix-org/synapse/releases/tag/v1.85.0","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/releases/tag/v1.85.0"},{"reference_url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-26c5-ppr8-f33p","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-26c5-ppr8-f33p"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2023-84.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2023-84.yaml"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6DH5A5YEB5LRIPP32OUW25FCGZFCZU2","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6DH5A5YEB5LRIPP32OUW25FCGZFCZU2"},{"reference_url":"https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html#create-or-modify-account","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html#create-or-modify-account"},{"reference_url":"https://matrix-org.github.io/synapse/latest/jwt.html","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://matrix-org.github.io/synapse/latest/jwt.html"},{"reference_url":"https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#password_config","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#password_config"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037207","reference_id":"1037207","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037207"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-32682","reference_id":"CVE-2023-32682","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-32682"},{"reference_url":"https://github.com/advisories/GHSA-26c5-ppr8-f33p","reference_id":"GHSA-26c5-ppr8-f33p","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-26c5-ppr8-f33p"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/33942?format=json","purl":"pkg:pypi/matrix-synapse@1.85.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4vve-jkk2-rueg"},{"vulnerability":"VCID-57xv-u1be-mfez"},{"vulnerability":"VCID-8zas-gnpp-3qfd"},{"vulnerability":"VCID-9t8r-dp58-xydr"},{"vulnerability":"VCID-ewxj-3jt9-p7af"},{"vulnerability":"VCID-mgxc-w86p-yqcm"},{"vulnerability":"VCID-w6fr-65fa-9yhb"},{"vulnerability":"VCID-z4xn-smp8-tfcj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.85.0"}],"aliases":["CVE-2023-32682","GHSA-26c5-ppr8-f33p","PYSEC-2023-84"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2uq2-kcfr-87gr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/7166?format=json","vulnerability_id":"VCID-3sbj-6gut-cybe","summary":"information disclosure","references":[{"reference_url":"https://github.com/matrix-org/synapse","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse"},{"reference_url":"https://github.com/matrix-org/synapse/commit/cb35df940a","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/commit/cb35df940a"},{"reference_url":"https://github.com/matrix-org/synapse/releases/tag/v1.41.1","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/releases/tag/v1.41.1"},{"reference_url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-jj53-8fmw-f2w2","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-jj53-8fmw-f2w2"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-424.yaml","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-424.yaml"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2VHDEPCZ22GJFMZCWA2XZAGPOEV72POF","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2VHDEPCZ22GJFMZCWA2XZAGPOEV72POF"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2VHDEPCZ22GJFMZCWA2XZAGPOEV72POF/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2VHDEPCZ22GJFMZCWA2XZAGPOEV72POF/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PXT7ID7DNBRN2TVTETU3SYQHJKEG6PXN","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PXT7ID7DNBRN2TVTETU3SYQHJKEG6PXN"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PXT7ID7DNBRN2TVTETU3SYQHJKEG6PXN/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PXT7ID7DNBRN2TVTETU3SYQHJKEG6PXN/"},{"reference_url":"https://security.archlinux.org/AVG-2334","reference_id":"AVG-2334","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2334"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-39163","reference_id":"CVE-2021-39163","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-39163"},{"reference_url":"https://github.com/advisories/GHSA-jj53-8fmw-f2w2","reference_id":"GHSA-jj53-8fmw-f2w2","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-jj53-8fmw-f2w2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/23499?format=json","purl":"pkg:pypi/matrix-synapse@1.41.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2q41-366b-jfbs"},{"vulnerability":"VCID-2uq2-kcfr-87gr"},{"vulnerability":"VCID-4vve-jkk2-rueg"},{"vulnerability":"VCID-57xv-u1be-mfez"},{"vulnerability":"VCID-8zas-gnpp-3qfd"},{"vulnerability":"VCID-9t8r-dp58-xydr"},{"vulnerability":"VCID-bnz6-nw3z-77gd"},{"vulnerability":"VCID-djck-vkte-q7he"},{"vulnerability":"VCID-ewxj-3jt9-p7af"},{"vulnerability":"VCID-ftmr-xpa4-mbfd"},{"vulnerability":"VCID-gre7-9vu7-vqdh"},{"vulnerability":"VCID-mgxc-w86p-yqcm"},{"vulnerability":"VCID-ubx5-xans-8bey"},{"vulnerability":"VCID-z4xn-smp8-tfcj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.41.1"}],"aliases":["CVE-2021-39163","GHSA-jj53-8fmw-f2w2","PYSEC-2021-424"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3sbj-6gut-cybe"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36596?format=json","vulnerability_id":"VCID-4vve-jkk2-rueg","summary":"Synapse is an open-source Matrix homeserver Prior to versions 1.95.1 and 1.96.0rc1, cached device information of remote users can be queried from Synapse. This can be used to enumerate the remote users known to a homeserver. System administrators are encouraged to upgrade to Synapse 1.95.1 or 1.96.0rc1 to receive a patch. As a workaround, the `federation_domain_whitelist` can be used to limit federation traffic with a homeserver.","references":[{"reference_url":"https://github.com/matrix-org/synapse","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse"},{"reference_url":"https://github.com/matrix-org/synapse/commit/daec55e1fe120c564240c5386e77941372bf458f","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/commit/daec55e1fe120c564240c5386e77941372bf458f"},{"reference_url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-mp92-3jfm-3575","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-mp92-3jfm-3575"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2023-230.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2023-230.yaml"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2IDEEZMFJBDLTFHQUTZRJJNCOZGQ2ZVS","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2IDEEZMFJBDLTFHQUTZRJJNCOZGQ2ZVS"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VH3RNC5ZPQZ4OKPSL4E6BBJSZOQLGDEY","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VH3RNC5ZPQZ4OKPSL4E6BBJSZOQLGDEY"},{"reference_url":"https://security.gentoo.org/glsa/202401-12","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.gentoo.org/glsa/202401-12"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055255","reference_id":"1055255","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055255"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-43796","reference_id":"CVE-2023-43796","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-43796"},{"reference_url":"https://github.com/advisories/GHSA-mp92-3jfm-3575","reference_id":"GHSA-mp92-3jfm-3575","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-mp92-3jfm-3575"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/37740?format=json","purl":"pkg:pypi/matrix-synapse@1.95.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-57xv-u1be-mfez"},{"vulnerability":"VCID-9t8r-dp58-xydr"},{"vulnerability":"VCID-ewxj-3jt9-p7af"},{"vulnerability":"VCID-z4xn-smp8-tfcj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.95.1"}],"aliases":["CVE-2023-43796","GHSA-mp92-3jfm-3575","PYSEC-2023-230"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4vve-jkk2-rueg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/51318?format=json","vulnerability_id":"VCID-57xv-u1be-mfez","summary":"Synapse is an open source Matrix homeserver implementation. Prior to 1.152.1, local authenticated users can cause Synapse to starve other requests of CPU and lead to other requests failing, causing other users to be denied service. This vulnerability is fixed in 1.152.1.","references":[{"reference_url":"https://github.com/element-hq/synapse","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/element-hq/synapse"},{"reference_url":"https://github.com/element-hq/synapse/commit/3f58bc50dfba5768ee43ce48c5e74c25ba0b078a","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/element-hq/synapse/commit/3f58bc50dfba5768ee43ce48c5e74c25ba0b078a"},{"reference_url":"https://github.com/element-hq/synapse/issues/19394","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/element-hq/synapse/issues/19394"},{"reference_url":"https://github.com/element-hq/synapse/security/advisories/GHSA-8q93-326v-3m7g","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/element-hq/synapse/security/advisories/GHSA-8q93-326v-3m7g"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/75426?format=json","purl":"pkg:pypi/matrix-synapse@1.152.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.152.1"}],"aliases":["CVE-2026-45078","GHSA-8q93-326v-3m7g","PYSEC-2026-191"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-57xv-u1be-mfez"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35764?format=json","vulnerability_id":"VCID-6bx9-6prt-vffg","summary":"Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.27.0, the password reset endpoint served via Synapse was vulnerable to cross-site scripting (XSS) attacks. The impact depends on the configuration of the domain that Synapse is deployed on, but may allow access to cookies and other browser data, CSRF vulnerabilities, and access to other resources served on the same domain or parent domains. This is fixed in version 1.27.0.","references":[{"reference_url":"https://github.com/matrix-org/synapse","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse"},{"reference_url":"https://github.com/matrix-org/synapse/commit/e54746bdf7d5c831eabe4dcea76a7626f1de73df","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/commit/e54746bdf7d5c831eabe4dcea76a7626f1de73df"},{"reference_url":"https://github.com/matrix-org/synapse/pull/9200","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/pull/9200"},{"reference_url":"https://github.com/matrix-org/synapse/releases/tag/v1.27.0","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/releases/tag/v1.27.0"},{"reference_url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-246w-56m2-5899","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-246w-56m2-5899"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-133.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-133.yaml"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21332","reference_id":"CVE-2021-21332","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21332"},{"reference_url":"https://github.com/advisories/GHSA-246w-56m2-5899","reference_id":"GHSA-246w-56m2-5899","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-246w-56m2-5899"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/20458?format=json","purl":"pkg:pypi/matrix-synapse@1.27.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2q41-366b-jfbs"},{"vulnerability":"VCID-2uq2-kcfr-87gr"},{"vulnerability":"VCID-3sbj-6gut-cybe"},{"vulnerability":"VCID-4vve-jkk2-rueg"},{"vulnerability":"VCID-57xv-u1be-mfez"},{"vulnerability":"VCID-9t8r-dp58-xydr"},{"vulnerability":"VCID-b461-xbt2-9fg1"},{"vulnerability":"VCID-bmw9-6jkv-t3ds"},{"vulnerability":"VCID-bnz6-nw3z-77gd"},{"vulnerability":"VCID-d6yz-j1f9-cfec"},{"vulnerability":"VCID-djck-vkte-q7he"},{"vulnerability":"VCID-ewxj-3jt9-p7af"},{"vulnerability":"VCID-ftmr-xpa4-mbfd"},{"vulnerability":"VCID-gre7-9vu7-vqdh"},{"vulnerability":"VCID-j8zw-nzgv-mkeq"},{"vulnerability":"VCID-mgxc-w86p-yqcm"},{"vulnerability":"VCID-p7my-33nz-puhn"},{"vulnerability":"VCID-ubx5-xans-8bey"},{"vulnerability":"VCID-z4xn-smp8-tfcj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.27.0"}],"aliases":["CVE-2021-21332","GHSA-246w-56m2-5899","PYSEC-2021-133"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6bx9-6prt-vffg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35763?format=json","vulnerability_id":"VCID-9jy7-pnmw-1bbq","summary":"Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.27.0, the notification emails sent for notifications for missed messages or for an expiring account are subject to HTML injection. In the case of the notification for missed messages, this could allow an attacker to insert forged content into the email. The account expiry feature is not enabled by default and the HTML injection is not controllable by an attacker. This is fixed in version 1.27.0.","references":[{"reference_url":"https://github.com/matrix-org/synapse","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse"},{"reference_url":"https://github.com/matrix-org/synapse/commit/e54746bdf7d5c831eabe4dcea76a7626f1de73df","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/commit/e54746bdf7d5c831eabe4dcea76a7626f1de73df"},{"reference_url":"https://github.com/matrix-org/synapse/pull/9200","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/pull/9200"},{"reference_url":"https://github.com/matrix-org/synapse/releases/tag/v1.27.0","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/releases/tag/v1.27.0"},{"reference_url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-c5f8-35qr-q4fm","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-c5f8-35qr-q4fm"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-134.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-134.yaml"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21333","reference_id":"CVE-2021-21333","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21333"},{"reference_url":"https://github.com/advisories/GHSA-c5f8-35qr-q4fm","reference_id":"GHSA-c5f8-35qr-q4fm","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-c5f8-35qr-q4fm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/20458?format=json","purl":"pkg:pypi/matrix-synapse@1.27.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2q41-366b-jfbs"},{"vulnerability":"VCID-2uq2-kcfr-87gr"},{"vulnerability":"VCID-3sbj-6gut-cybe"},{"vulnerability":"VCID-4vve-jkk2-rueg"},{"vulnerability":"VCID-57xv-u1be-mfez"},{"vulnerability":"VCID-9t8r-dp58-xydr"},{"vulnerability":"VCID-b461-xbt2-9fg1"},{"vulnerability":"VCID-bmw9-6jkv-t3ds"},{"vulnerability":"VCID-bnz6-nw3z-77gd"},{"vulnerability":"VCID-d6yz-j1f9-cfec"},{"vulnerability":"VCID-djck-vkte-q7he"},{"vulnerability":"VCID-ewxj-3jt9-p7af"},{"vulnerability":"VCID-ftmr-xpa4-mbfd"},{"vulnerability":"VCID-gre7-9vu7-vqdh"},{"vulnerability":"VCID-j8zw-nzgv-mkeq"},{"vulnerability":"VCID-mgxc-w86p-yqcm"},{"vulnerability":"VCID-p7my-33nz-puhn"},{"vulnerability":"VCID-ubx5-xans-8bey"},{"vulnerability":"VCID-z4xn-smp8-tfcj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.27.0"}],"aliases":["CVE-2021-21333","GHSA-c5f8-35qr-q4fm","PYSEC-2021-134"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9jy7-pnmw-1bbq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36768?format=json","vulnerability_id":"VCID-9t8r-dp58-xydr","summary":"Synapse is an open-source Matrix homeserver. A remote Matrix user with malicious intent, sharing a room with Synapse instances before 1.105.1, can dispatch specially crafted events to exploit a weakness in the V2 state resolution algorithm. This can induce high CPU consumption and accumulate excessive data in the database of such instances, resulting in a denial of service. Servers in private federations, or those that do not federate, are not affected. Server administrators should upgrade to 1.105.1 or later. Some workarounds are available. One can ban the malicious users or ACL block servers from the rooms and/or leave the room and purge the room using the admin API.","references":[{"reference_url":"https://github.com/element-hq/synapse","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/element-hq/synapse"},{"reference_url":"https://github.com/element-hq/synapse/commit/55b0aa847a61774b6a3acdc4b177a20dc019f01a","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/element-hq/synapse/commit/55b0aa847a61774b6a3acdc4b177a20dc019f01a"},{"reference_url":"https://github.com/element-hq/synapse/releases/tag/v1.105.1","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/element-hq/synapse/releases/tag/v1.105.1"},{"reference_url":"https://github.com/element-hq/synapse/security/advisories/GHSA-3h7q-rfh9-xm4v","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/element-hq/synapse/security/advisories/GHSA-3h7q-rfh9-xm4v"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2024-50.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2024-50.yaml"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R6FCCO4ODTZ3FDS7TMW76PKOSEL2TQVB","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R6FCCO4ODTZ3FDS7TMW76PKOSEL2TQVB"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RR53FNHV446CB37TP45GZ6F6HZLZCK3K","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RR53FNHV446CB37TP45GZ6F6HZLZCK3K"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSF4NJJSTSQRJQ47PLYYSCFYKJBP7DET","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSF4NJJSTSQRJQ47PLYYSCFYKJBP7DET"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069763","reference_id":"1069763","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069763"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-31208","reference_id":"CVE-2024-31208","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-31208"},{"reference_url":"https://github.com/advisories/GHSA-3h7q-rfh9-xm4v","reference_id":"GHSA-3h7q-rfh9-xm4v","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-3h7q-rfh9-xm4v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40927?format=json","purl":"pkg:pypi/matrix-synapse@1.105.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-57xv-u1be-mfez"},{"vulnerability":"VCID-ewxj-3jt9-p7af"},{"vulnerability":"VCID-z4xn-smp8-tfcj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.105.1"}],"aliases":["CVE-2024-31208","GHSA-3h7q-rfh9-xm4v","PYSEC-2024-50"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9t8r-dp58-xydr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35795?format=json","vulnerability_id":"VCID-b461-xbt2-9fg1","summary":"Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.33.2 \"Push rules\" can specify conditions under which they will match, including `event_match`, which matches event content against a pattern including wildcards. Certain patterns can cause very poor performance in the matching engine, leading to a denial-of-service when processing moderate length events. The issue is patched in version 1.33.2. A potential workaround might be to prevent users from making custom push rules, by blocking such requests at a reverse-proxy.","references":[{"reference_url":"https://github.com/matrix-org/synapse","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse"},{"reference_url":"https://github.com/matrix-org/synapse/commit/03318a766cac9f8b053db2214d9c332a977d226c","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/commit/03318a766cac9f8b053db2214d9c332a977d226c"},{"reference_url":"https://github.com/matrix-org/synapse/releases/tag/v1.33.2","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/releases/tag/v1.33.2"},{"reference_url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-x345-32rc-8h85","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-x345-32rc-8h85"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-135.yaml","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-135.yaml"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-29471","reference_id":"CVE-2021-29471","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-29471"},{"reference_url":"https://github.com/advisories/GHSA-x345-32rc-8h85","reference_id":"GHSA-x345-32rc-8h85","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-x345-32rc-8h85"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/21876?format=json","purl":"pkg:pypi/matrix-synapse@1.33.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2q41-366b-jfbs"},{"vulnerability":"VCID-2uq2-kcfr-87gr"},{"vulnerability":"VCID-3sbj-6gut-cybe"},{"vulnerability":"VCID-4vve-jkk2-rueg"},{"vulnerability":"VCID-57xv-u1be-mfez"},{"vulnerability":"VCID-9t8r-dp58-xydr"},{"vulnerability":"VCID-bnz6-nw3z-77gd"},{"vulnerability":"VCID-d6yz-j1f9-cfec"},{"vulnerability":"VCID-djck-vkte-q7he"},{"vulnerability":"VCID-ewxj-3jt9-p7af"},{"vulnerability":"VCID-ftmr-xpa4-mbfd"},{"vulnerability":"VCID-gre7-9vu7-vqdh"},{"vulnerability":"VCID-mgxc-w86p-yqcm"},{"vulnerability":"VCID-ubx5-xans-8bey"},{"vulnerability":"VCID-z4xn-smp8-tfcj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.33.2"}],"aliases":["CVE-2021-29471","GHSA-x345-32rc-8h85","PYSEC-2021-135"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-b461-xbt2-9fg1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35774?format=json","vulnerability_id":"VCID-bmw9-6jkv-t3ds","summary":"Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identifiers could cause excessive use of disk space and memory leading to resource exhaustion. Note that the groups feature is not part of the Matrix specification and the chosen maximum lengths are arbitrary. Not all clients might abide by them. Refer to referenced GitHub security advisory for additional details including workarounds.","references":[{"reference_url":"https://github.com/matrix-org/synapse","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse"},{"reference_url":"https://github.com/matrix-org/synapse/pull/9321","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/pull/9321"},{"reference_url":"https://github.com/matrix-org/synapse/pull/9393","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/pull/9393"},{"reference_url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-w9fg-xffh-p362","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-w9fg-xffh-p362"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-27.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-27.yaml"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY"},{"reference_url":"https://pypi.org/project/matrix-synapse","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://pypi.org/project/matrix-synapse"},{"reference_url":"https://pypi.org/project/matrix-synapse/","reference_id":"","reference_type":"","scores":[],"url":"https://pypi.org/project/matrix-synapse/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21394","reference_id":"CVE-2021-21394","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21394"},{"reference_url":"https://github.com/advisories/GHSA-w9fg-xffh-p362","reference_id":"GHSA-w9fg-xffh-p362","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-w9fg-xffh-p362"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/21485?format=json","purl":"pkg:pypi/matrix-synapse@1.28.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2q41-366b-jfbs"},{"vulnerability":"VCID-2uq2-kcfr-87gr"},{"vulnerability":"VCID-3sbj-6gut-cybe"},{"vulnerability":"VCID-4vve-jkk2-rueg"},{"vulnerability":"VCID-57xv-u1be-mfez"},{"vulnerability":"VCID-9t8r-dp58-xydr"},{"vulnerability":"VCID-b461-xbt2-9fg1"},{"vulnerability":"VCID-bnz6-nw3z-77gd"},{"vulnerability":"VCID-d6yz-j1f9-cfec"},{"vulnerability":"VCID-djck-vkte-q7he"},{"vulnerability":"VCID-ewxj-3jt9-p7af"},{"vulnerability":"VCID-ftmr-xpa4-mbfd"},{"vulnerability":"VCID-gre7-9vu7-vqdh"},{"vulnerability":"VCID-mgxc-w86p-yqcm"},{"vulnerability":"VCID-ubx5-xans-8bey"},{"vulnerability":"VCID-z4xn-smp8-tfcj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.28.0"}],"aliases":["CVE-2021-21394","GHSA-w9fg-xffh-p362","PYSEC-2021-27"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bmw9-6jkv-t3ds"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36452?format=json","vulnerability_id":"VCID-bnz6-nw3z-77gd","summary":"Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. The Matrix Federation API allows remote homeservers to request the authorization events in a room. This is necessary so that a homeserver receiving some events can validate that those events are legitimate and permitted in their room. However, in versions of Synapse up to and including 1.68.0, a Synapse homeserver answering a query for authorization events does not sufficiently check that the requesting server should be able to access them. The issue was patched in Synapse 1.69.0. Homeserver administrators are advised to upgrade.","references":[{"reference_url":"https://github.com/matrix-org/synapse","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse"},{"reference_url":"https://github.com/matrix-org/synapse/issues/13288","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/issues/13288"},{"reference_url":"https://github.com/matrix-org/synapse/pull/13823","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/pull/13823"},{"reference_url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-45cj-f97f-ggwv","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-45cj-f97f-ggwv"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2023-65.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2023-65.yaml"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T2MBNMZAFY4RCZL2VGBGAPKGB4JUPZVS","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T2MBNMZAFY4RCZL2VGBGAPKGB4JUPZVS"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-39335","reference_id":"CVE-2022-39335","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-39335"},{"reference_url":"https://github.com/advisories/GHSA-45cj-f97f-ggwv","reference_id":"GHSA-45cj-f97f-ggwv","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-45cj-f97f-ggwv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/33828?format=json","purl":"pkg:pypi/matrix-synapse@1.69.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2q41-366b-jfbs"},{"vulnerability":"VCID-2uq2-kcfr-87gr"},{"vulnerability":"VCID-4vve-jkk2-rueg"},{"vulnerability":"VCID-57xv-u1be-mfez"},{"vulnerability":"VCID-8zas-gnpp-3qfd"},{"vulnerability":"VCID-9t8r-dp58-xydr"},{"vulnerability":"VCID-ewxj-3jt9-p7af"},{"vulnerability":"VCID-mgxc-w86p-yqcm"},{"vulnerability":"VCID-ubx5-xans-8bey"},{"vulnerability":"VCID-w6fr-65fa-9yhb"},{"vulnerability":"VCID-z4xn-smp8-tfcj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.69.0"}],"aliases":["CVE-2022-39335","GHSA-45cj-f97f-ggwv","PYSEC-2023-65"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bnz6-nw3z-77gd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35729?format=json","vulnerability_id":"VCID-buj8-8fqz-yyfe","summary":"Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.25.0, requests to user provided domains were not restricted to external IP addresses when calculating the key validity for third-party invite events and sending push notifications. This could cause Synapse to make requests to internal infrastructure. The type of request was not controlled by the user, although limited modification of request bodies was possible. For the most thorough protection server administrators should remove the deprecated `federation_ip_range_blacklist` from their settings after upgrading to Synapse v1.25.0 which will result in Synapse using the improved default IP address restrictions. See the new `ip_range_blacklist` and `ip_range_whitelist` settings if more specific control is necessary.","references":[{"reference_url":"https://github.com/matrix-org/synapse","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse"},{"reference_url":"https://github.com/matrix-org/synapse/commit/30fba6210834a4ecd91badf0c8f3eb278b72e746","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/commit/30fba6210834a4ecd91badf0c8f3eb278b72e746"},{"reference_url":"https://github.com/matrix-org/synapse/pull/8821","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/pull/8821"},{"reference_url":"https://github.com/matrix-org/synapse/releases/tag/v1.25.0","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/releases/tag/v1.25.0"},{"reference_url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-v936-j8gp-9q3p","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-v936-j8gp-9q3p"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-131.yaml","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-131.yaml"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21273","reference_id":"CVE-2021-21273","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21273"},{"reference_url":"https://github.com/advisories/GHSA-v936-j8gp-9q3p","reference_id":"GHSA-v936-j8gp-9q3p","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-v936-j8gp-9q3p"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/20185?format=json","purl":"pkg:pypi/matrix-synapse@1.25.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2q41-366b-jfbs"},{"vulnerability":"VCID-2uq2-kcfr-87gr"},{"vulnerability":"VCID-3sbj-6gut-cybe"},{"vulnerability":"VCID-4vve-jkk2-rueg"},{"vulnerability":"VCID-57xv-u1be-mfez"},{"vulnerability":"VCID-6bx9-6prt-vffg"},{"vulnerability":"VCID-9jy7-pnmw-1bbq"},{"vulnerability":"VCID-9t8r-dp58-xydr"},{"vulnerability":"VCID-b461-xbt2-9fg1"},{"vulnerability":"VCID-bmw9-6jkv-t3ds"},{"vulnerability":"VCID-bnz6-nw3z-77gd"},{"vulnerability":"VCID-d6yz-j1f9-cfec"},{"vulnerability":"VCID-djck-vkte-q7he"},{"vulnerability":"VCID-ewxj-3jt9-p7af"},{"vulnerability":"VCID-ftmr-xpa4-mbfd"},{"vulnerability":"VCID-gre7-9vu7-vqdh"},{"vulnerability":"VCID-j8zw-nzgv-mkeq"},{"vulnerability":"VCID-mgxc-w86p-yqcm"},{"vulnerability":"VCID-p7my-33nz-puhn"},{"vulnerability":"VCID-ubx5-xans-8bey"},{"vulnerability":"VCID-z4xn-smp8-tfcj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.25.0"}],"aliases":["CVE-2021-21273","GHSA-v936-j8gp-9q3p","PYSEC-2021-131"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-buj8-8fqz-yyfe"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/7165?format=json","vulnerability_id":"VCID-d6yz-j1f9-cfec","summary":"information disclosure","references":[{"reference_url":"https://github.com/matrix-org/synapse","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse"},{"reference_url":"https://github.com/matrix-org/synapse/commit/cb35df940a","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/commit/cb35df940a"},{"reference_url":"https://github.com/matrix-org/synapse/releases/tag/v1.41.1","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/releases/tag/v1.41.1"},{"reference_url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-3x4c-pq33-4w3q","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-3x4c-pq33-4w3q"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-425.yaml","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-425.yaml"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2VHDEPCZ22GJFMZCWA2XZAGPOEV72POF","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2VHDEPCZ22GJFMZCWA2XZAGPOEV72POF"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2VHDEPCZ22GJFMZCWA2XZAGPOEV72POF/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2VHDEPCZ22GJFMZCWA2XZAGPOEV72POF/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PXT7ID7DNBRN2TVTETU3SYQHJKEG6PXN","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PXT7ID7DNBRN2TVTETU3SYQHJKEG6PXN"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PXT7ID7DNBRN2TVTETU3SYQHJKEG6PXN/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PXT7ID7DNBRN2TVTETU3SYQHJKEG6PXN/"},{"reference_url":"https://security.archlinux.org/AVG-2334","reference_id":"AVG-2334","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2334"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-39164","reference_id":"CVE-2021-39164","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-39164"},{"reference_url":"https://github.com/advisories/GHSA-3x4c-pq33-4w3q","reference_id":"GHSA-3x4c-pq33-4w3q","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-3x4c-pq33-4w3q"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/23499?format=json","purl":"pkg:pypi/matrix-synapse@1.41.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2q41-366b-jfbs"},{"vulnerability":"VCID-2uq2-kcfr-87gr"},{"vulnerability":"VCID-4vve-jkk2-rueg"},{"vulnerability":"VCID-57xv-u1be-mfez"},{"vulnerability":"VCID-8zas-gnpp-3qfd"},{"vulnerability":"VCID-9t8r-dp58-xydr"},{"vulnerability":"VCID-bnz6-nw3z-77gd"},{"vulnerability":"VCID-djck-vkte-q7he"},{"vulnerability":"VCID-ewxj-3jt9-p7af"},{"vulnerability":"VCID-ftmr-xpa4-mbfd"},{"vulnerability":"VCID-gre7-9vu7-vqdh"},{"vulnerability":"VCID-mgxc-w86p-yqcm"},{"vulnerability":"VCID-ubx5-xans-8bey"},{"vulnerability":"VCID-z4xn-smp8-tfcj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.41.1"}],"aliases":["CVE-2021-39164","GHSA-3x4c-pq33-4w3q","PYSEC-2021-425"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-d6yz-j1f9-cfec"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36133?format=json","vulnerability_id":"VCID-djck-vkte-q7he","summary":"Synapse is an open source home server implementation for the Matrix chat network. In versions prior to 1.61.1 URL previews of some web pages can exhaust the available stack space for the Synapse process due to unbounded recursion. This is sometimes recoverable and leads to an error for the request causing the problem, but in other cases the Synapse process may crash altogether. It is possible to exploit this maliciously, either by malicious users on the homeserver, or by remote users sending URLs that a local user's client may automatically request a URL preview for. Remote users are not able to exploit this directly, because the URL preview endpoint is authenticated. Deployments with `url_preview_enabled: false` set in configuration are not affected. Deployments with `url_preview_enabled: true` set in configuration **are** affected. Deployments with no configuration value set for `url_preview_enabled` are not affected, because the default is `false`. Administrators of homeservers with URL previews enabled are advised to upgrade to v1.61.1 or higher. Users unable to upgrade should set `url_preview_enabled` to false.","references":[{"reference_url":"https://github.com/matrix-org/synapse/commit/fa1308061802ac7b7d20e954ba7372c5ac292333","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/matrix-org/synapse/commit/fa1308061802ac7b7d20e954ba7372c5ac292333"},{"reference_url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-22p3-qrh9-cx32","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-22p3-qrh9-cx32"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7EARKKJZ2W7WUITFDT4EG4NVATFYJQHF/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7EARKKJZ2W7WUITFDT4EG4NVATFYJQHF/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGSDQ4YAITCUACAB7SXQZDJIU3IQ4CJD/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGSDQ4YAITCUACAB7SXQZDJIU3IQ4CJD/"},{"reference_url":"https://spec.matrix.org/v1.2/client-server-api/#get_matrixmediav3preview_url","reference_id":"","reference_type":"","scores":[],"url":"https://spec.matrix.org/v1.2/client-server-api/#get_matrixmediav3preview_url"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/28213?format=json","purl":"pkg:pypi/matrix-synapse@1.61.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2q41-366b-jfbs"},{"vulnerability":"VCID-2uq2-kcfr-87gr"},{"vulnerability":"VCID-4vve-jkk2-rueg"},{"vulnerability":"VCID-57xv-u1be-mfez"},{"vulnerability":"VCID-8zas-gnpp-3qfd"},{"vulnerability":"VCID-9t8r-dp58-xydr"},{"vulnerability":"VCID-bnz6-nw3z-77gd"},{"vulnerability":"VCID-ewxj-3jt9-p7af"},{"vulnerability":"VCID-gre7-9vu7-vqdh"},{"vulnerability":"VCID-mgxc-w86p-yqcm"},{"vulnerability":"VCID-ubx5-xans-8bey"},{"vulnerability":"VCID-z4xn-smp8-tfcj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.61.1"}],"aliases":["CVE-2022-31052","GHSA-22p3-qrh9-cx32","PYSEC-2022-224"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-djck-vkte-q7he"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36948?format=json","vulnerability_id":"VCID-ewxj-3jt9-p7af","summary":"Synapse is an open-source Matrix homeserver. Synapse before version 1.106 allows, by design, unauthenticated remote participants to trigger a download and caching of remote media from a remote homeserver to the local media repository. Such content then also becomes available for download from the local homeserver in an unauthenticated way. The implication is that unauthenticated remote adversaries can use this functionality to plant problematic content into the media repository. Synapse 1.106 introduces a partial mitigation in the form of new endpoints which require authentication for media downloads. The unauthenticated endpoints will be frozen in a future release, closing the attack vector.","references":[{"reference_url":"https://github.com/element-hq/synapse","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/element-hq/synapse"},{"reference_url":"https://github.com/element-hq/synapse/security/advisories/GHSA-gjgr-7834-rhxr","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/element-hq/synapse/security/advisories/GHSA-gjgr-7834-rhxr"},{"reference_url":"https://github.com/matrix-org/matrix-spec-proposals/pull/3916","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/matrix-spec-proposals/pull/3916"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-37303","reference_id":"CVE-2024-37303","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-37303"},{"reference_url":"https://github.com/advisories/GHSA-gjgr-7834-rhxr","reference_id":"GHSA-gjgr-7834-rhxr","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-gjgr-7834-rhxr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/83453?format=json","purl":"pkg:pypi/matrix-synapse@1.106","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.106"},{"url":"http://public2.vulnerablecode.io/api/packages/44195?format=json","purl":"pkg:pypi/matrix-synapse@1.106.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-57xv-u1be-mfez"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.106.0"}],"aliases":["CVE-2024-37303","GHSA-gjgr-7834-rhxr","PYSEC-2024-287"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ewxj-3jt9-p7af"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/7001?format=json","vulnerability_id":"VCID-ftmr-xpa4-mbfd","summary":"directory traversal","references":[{"reference_url":"https://github.com/matrix-org/synapse","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse"},{"reference_url":"https://github.com/matrix-org/synapse/commit/91f2bd090","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/commit/91f2bd090"},{"reference_url":"https://github.com/matrix-org/synapse/releases/tag/v1.47.1","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/releases/tag/v1.47.1"},{"reference_url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-3hfw-x7gx-437c","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-3hfw-x7gx-437c"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-436.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-436.yaml"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EU7QRE55U4IUEDLKT5IYPWL3UXMELFAS","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EU7QRE55U4IUEDLKT5IYPWL3UXMELFAS"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N3WY56LCEZ4ZECLWV5KMAXF2PSMUB4F2","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N3WY56LCEZ4ZECLWV5KMAXF2PSMUB4F2"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1000451","reference_id":"1000451","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1000451"},{"reference_url":"https://security.archlinux.org/AVG-2581","reference_id":"AVG-2581","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2581"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-41281","reference_id":"CVE-2021-41281","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-41281"},{"reference_url":"https://github.com/advisories/GHSA-3hfw-x7gx-437c","reference_id":"GHSA-3hfw-x7gx-437c","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-3hfw-x7gx-437c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/25067?format=json","purl":"pkg:pypi/matrix-synapse@1.47.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2q41-366b-jfbs"},{"vulnerability":"VCID-2uq2-kcfr-87gr"},{"vulnerability":"VCID-4vve-jkk2-rueg"},{"vulnerability":"VCID-57xv-u1be-mfez"},{"vulnerability":"VCID-8zas-gnpp-3qfd"},{"vulnerability":"VCID-9t8r-dp58-xydr"},{"vulnerability":"VCID-bnz6-nw3z-77gd"},{"vulnerability":"VCID-djck-vkte-q7he"},{"vulnerability":"VCID-ewxj-3jt9-p7af"},{"vulnerability":"VCID-gre7-9vu7-vqdh"},{"vulnerability":"VCID-mgxc-w86p-yqcm"},{"vulnerability":"VCID-ubx5-xans-8bey"},{"vulnerability":"VCID-z4xn-smp8-tfcj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.47.1"}],"aliases":["CVE-2021-41281","GHSA-3hfw-x7gx-437c","PYSEC-2021-436"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ftmr-xpa4-mbfd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35434?format=json","vulnerability_id":"VCID-gmab-mbjg-gbet","summary":"Matrix Synapse before 1.5.0 mishandles signature checking on some federation APIs. Events sent over /send_join, /send_leave, and /invite may not be correctly signed, or may not come from the expected servers.","references":[{"reference_url":"https://github.com/advisories/GHSA-cppw-2mf8-qpm5","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-cppw-2mf8-qpm5"},{"reference_url":"https://github.com/matrix-org/synapse/pull/6262","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/matrix-org/synapse/pull/6262"},{"reference_url":"https://github.com/matrix-org/synapse/releases/tag/v1.5.0","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/matrix-org/synapse/releases/tag/v1.5.0"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944355","reference_id":"944355","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944355"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/14505?format=json","purl":"pkg:pypi/matrix-synapse@1.5.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2q41-366b-jfbs"},{"vulnerability":"VCID-2uq2-kcfr-87gr"},{"vulnerability":"VCID-3sbj-6gut-cybe"},{"vulnerability":"VCID-4vve-jkk2-rueg"},{"vulnerability":"VCID-57xv-u1be-mfez"},{"vulnerability":"VCID-6bx9-6prt-vffg"},{"vulnerability":"VCID-9jy7-pnmw-1bbq"},{"vulnerability":"VCID-9t8r-dp58-xydr"},{"vulnerability":"VCID-b461-xbt2-9fg1"},{"vulnerability":"VCID-bmw9-6jkv-t3ds"},{"vulnerability":"VCID-bnz6-nw3z-77gd"},{"vulnerability":"VCID-buj8-8fqz-yyfe"},{"vulnerability":"VCID-d6yz-j1f9-cfec"},{"vulnerability":"VCID-djck-vkte-q7he"},{"vulnerability":"VCID-ewxj-3jt9-p7af"},{"vulnerability":"VCID-ftmr-xpa4-mbfd"},{"vulnerability":"VCID-gre7-9vu7-vqdh"},{"vulnerability":"VCID-j8zw-nzgv-mkeq"},{"vulnerability":"VCID-jsxu-cjjr-nfhw"},{"vulnerability":"VCID-mgxc-w86p-yqcm"},{"vulnerability":"VCID-mqta-hmxv-duh6"},{"vulnerability":"VCID-p7my-33nz-puhn"},{"vulnerability":"VCID-rab2-vwyz-ufdt"},{"vulnerability":"VCID-swgx-he8k-1qhy"},{"vulnerability":"VCID-ubx5-xans-8bey"},{"vulnerability":"VCID-z4xn-smp8-tfcj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.5.0"}],"aliases":["CVE-2019-18835","GHSA-cppw-2mf8-qpm5","PYSEC-2019-186"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gmab-mbjg-gbet"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36181?format=json","vulnerability_id":"VCID-gre7-9vu7-vqdh","summary":"Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. The Matrix specification specifies a list of [event authorization rules](https://spec.matrix.org/v1.2/rooms/v9/#authorization-rules) which must be checked when determining if an event should be accepted into a room. In versions of Synapse up to and including version 1.61.0, some of these rules are not correctly applied. An attacker could craft events which would be accepted by Synapse but not a spec-conformant server, potentially causing divergence in the room state between servers. Administrators of homeservers with federation enabled are advised to upgrade to version 1.62.0 or higher. Federation can be disabled by setting [`federation_domain_whitelist`](https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#federation_domain_whitelist) to an empty list (`[]`) as a workaround.","references":[{"reference_url":"https://github.com/matrix-org/synapse/pull/13087","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/matrix-org/synapse/pull/13087"},{"reference_url":"https://github.com/matrix-org/synapse/pull/13088","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/matrix-org/synapse/pull/13088"},{"reference_url":"https://github.com/matrix-org/synapse/releases/tag/v1.62.0","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/matrix-org/synapse/releases/tag/v1.62.0"},{"reference_url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-jhjh-776m-4765","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-jhjh-776m-4765"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/29122?format=json","purl":"pkg:pypi/matrix-synapse@1.62.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1r3j-umak-ebhe"},{"vulnerability":"VCID-2q41-366b-jfbs"},{"vulnerability":"VCID-2uq2-kcfr-87gr"},{"vulnerability":"VCID-4vve-jkk2-rueg"},{"vulnerability":"VCID-57xv-u1be-mfez"},{"vulnerability":"VCID-8zas-gnpp-3qfd"},{"vulnerability":"VCID-9t8r-dp58-xydr"},{"vulnerability":"VCID-bnz6-nw3z-77gd"},{"vulnerability":"VCID-ewxj-3jt9-p7af"},{"vulnerability":"VCID-mgxc-w86p-yqcm"},{"vulnerability":"VCID-ubx5-xans-8bey"},{"vulnerability":"VCID-z4xn-smp8-tfcj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.62.0"}],"aliases":["CVE-2022-31152","GHSA-jhjh-776m-4765","PYSEC-2022-262"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gre7-9vu7-vqdh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35775?format=json","vulnerability_id":"VCID-j8zw-nzgv-mkeq","summary":"Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 requests to user provided domains were not restricted to external IP addresses when transitional IPv6 addresses were used. Outbound requests to federation, identity servers, when calculating the key validity for third-party invite events, sending push notifications, and generating URL previews are affected. This could cause Synapse to make requests to internal infrastructure on dual-stack networks. See referenced GitHub security advisory for details and workarounds.","references":[{"reference_url":"https://github.com/matrix-org/synapse","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse"},{"reference_url":"https://github.com/matrix-org/synapse/commit/4ca054a4eaa714d0befb4fc30b19a1131e52c9cc","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/commit/4ca054a4eaa714d0befb4fc30b19a1131e52c9cc"},{"reference_url":"https://github.com/matrix-org/synapse/pull/9240","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/pull/9240"},{"reference_url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-5wrh-4jwv-5w78","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-5wrh-4jwv-5w78"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-25.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-25.yaml"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY"},{"reference_url":"https://pypi.org/project/matrix-synapse","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://pypi.org/project/matrix-synapse"},{"reference_url":"https://pypi.org/project/matrix-synapse/","reference_id":"","reference_type":"","scores":[],"url":"https://pypi.org/project/matrix-synapse/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21392","reference_id":"CVE-2021-21392","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21392"},{"reference_url":"https://github.com/advisories/GHSA-5wrh-4jwv-5w78","reference_id":"GHSA-5wrh-4jwv-5w78","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-5wrh-4jwv-5w78"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/21484?format=json","purl":"pkg:pypi/matrix-synapse@1.28.0rc1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2q41-366b-jfbs"},{"vulnerability":"VCID-2uq2-kcfr-87gr"},{"vulnerability":"VCID-3sbj-6gut-cybe"},{"vulnerability":"VCID-4vve-jkk2-rueg"},{"vulnerability":"VCID-57xv-u1be-mfez"},{"vulnerability":"VCID-9t8r-dp58-xydr"},{"vulnerability":"VCID-b461-xbt2-9fg1"},{"vulnerability":"VCID-bmw9-6jkv-t3ds"},{"vulnerability":"VCID-bnz6-nw3z-77gd"},{"vulnerability":"VCID-d6yz-j1f9-cfec"},{"vulnerability":"VCID-djck-vkte-q7he"},{"vulnerability":"VCID-ewxj-3jt9-p7af"},{"vulnerability":"VCID-ftmr-xpa4-mbfd"},{"vulnerability":"VCID-gre7-9vu7-vqdh"},{"vulnerability":"VCID-j8zw-nzgv-mkeq"},{"vulnerability":"VCID-mgxc-w86p-yqcm"},{"vulnerability":"VCID-p7my-33nz-puhn"},{"vulnerability":"VCID-ubx5-xans-8bey"},{"vulnerability":"VCID-z4xn-smp8-tfcj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.28.0rc1"},{"url":"http://public2.vulnerablecode.io/api/packages/21485?format=json","purl":"pkg:pypi/matrix-synapse@1.28.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2q41-366b-jfbs"},{"vulnerability":"VCID-2uq2-kcfr-87gr"},{"vulnerability":"VCID-3sbj-6gut-cybe"},{"vulnerability":"VCID-4vve-jkk2-rueg"},{"vulnerability":"VCID-57xv-u1be-mfez"},{"vulnerability":"VCID-9t8r-dp58-xydr"},{"vulnerability":"VCID-b461-xbt2-9fg1"},{"vulnerability":"VCID-bnz6-nw3z-77gd"},{"vulnerability":"VCID-d6yz-j1f9-cfec"},{"vulnerability":"VCID-djck-vkte-q7he"},{"vulnerability":"VCID-ewxj-3jt9-p7af"},{"vulnerability":"VCID-ftmr-xpa4-mbfd"},{"vulnerability":"VCID-gre7-9vu7-vqdh"},{"vulnerability":"VCID-mgxc-w86p-yqcm"},{"vulnerability":"VCID-ubx5-xans-8bey"},{"vulnerability":"VCID-z4xn-smp8-tfcj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.28.0"}],"aliases":["CVE-2021-21392","GHSA-5wrh-4jwv-5w78","PYSEC-2021-25"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-j8zw-nzgv-mkeq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36567?format=json","vulnerability_id":"VCID-mgxc-w86p-yqcm","summary":"Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. Prior to version 1.94.0, a malicious server ACL event can impact performance temporarily or permanently leading to a persistent denial of service. Homeservers running on a closed federation (which presumably do not need to use server ACLs) are not affected. Server administrators are advised to upgrade to Synapse 1.94.0 or later. As a workaround, rooms with malicious server ACL events can be purged and blocked using the admin API.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-45129.json","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-45129.json"},{"reference_url":"https://github.com/matrix-org/synapse","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse"},{"reference_url":"https://github.com/matrix-org/synapse/commit/f84da3c32ec74cf054e2fd6d10618aa4997cffaa","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/commit/f84da3c32ec74cf054e2fd6d10618aa4997cffaa"},{"reference_url":"https://github.com/matrix-org/synapse/pull/16360","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/pull/16360"},{"reference_url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-5chr-wjw5-3gq4","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-5chr-wjw5-3gq4"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2023-199.yaml","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2023-199.yaml"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KEVRB4MG5UXQ5RLZHSUJXM5GWEBYYS5B","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KEVRB4MG5UXQ5RLZHSUJXM5GWEBYYS5B"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N6P4QULVUE254WI7XF2LWWOGHCYVFXFY","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N6P4QULVUE254WI7XF2LWWOGHCYVFXFY"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WRO4MPQ6HOXIUZM6RJP6VTCTMV7RD2T3","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WRO4MPQ6HOXIUZM6RJP6VTCTMV7RD2T3"},{"reference_url":"https://matrix-org.github.io/synapse/latest/admin_api/rooms.html#version-2-new-version","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://matrix-org.github.io/synapse/latest/admin_api/rooms.html#version-2-new-version"},{"reference_url":"https://security.gentoo.org/glsa/202401-12","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.gentoo.org/glsa/202401-12"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2243128","reference_id":"2243128","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2243128"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-45129","reference_id":"CVE-2023-45129","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-45129"},{"reference_url":"https://github.com/advisories/GHSA-5chr-wjw5-3gq4","reference_id":"GHSA-5chr-wjw5-3gq4","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-5chr-wjw5-3gq4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/36321?format=json","purl":"pkg:pypi/matrix-synapse@1.94.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4vve-jkk2-rueg"},{"vulnerability":"VCID-57xv-u1be-mfez"},{"vulnerability":"VCID-9t8r-dp58-xydr"},{"vulnerability":"VCID-ewxj-3jt9-p7af"},{"vulnerability":"VCID-z4xn-smp8-tfcj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.94.0"}],"aliases":["CVE-2023-45129","GHSA-5chr-wjw5-3gq4","PYSEC-2023-199"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mgxc-w86p-yqcm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/5786?format=json","vulnerability_id":"VCID-mqta-hmxv-duh6","summary":"denial of service","references":[{"reference_url":"https://github.com/matrix-org/synapse","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse"},{"reference_url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-4mp3-385r-v63f","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-4mp3-385r-v63f"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2020-237.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2020-237.yaml"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G7YXMMYQP46PYL664JQUXCA3LPBJU7DQ","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G7YXMMYQP46PYL664JQUXCA3LPBJU7DQ"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G7YXMMYQP46PYL664JQUXCA3LPBJU7DQ/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G7YXMMYQP46PYL664JQUXCA3LPBJU7DQ/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U34DPP4ZLOEDUY2ZCWOHQPU5GA5LYNUQ","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U34DPP4ZLOEDUY2ZCWOHQPU5GA5LYNUQ"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U34DPP4ZLOEDUY2ZCWOHQPU5GA5LYNUQ/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U34DPP4ZLOEDUY2ZCWOHQPU5GA5LYNUQ/"},{"reference_url":"https://pypi.org/project/matrix-synapse","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://pypi.org/project/matrix-synapse"},{"reference_url":"https://security.archlinux.org/ASA-202011-23","reference_id":"ASA-202011-23","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-202011-23"},{"reference_url":"https://security.archlinux.org/AVG-1296","reference_id":"AVG-1296","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1296"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-26890","reference_id":"CVE-2020-26890","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-26890"},{"reference_url":"https://github.com/advisories/GHSA-4mp3-385r-v63f","reference_id":"GHSA-4mp3-385r-v63f","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-4mp3-385r-v63f"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/18643?format=json","purl":"pkg:pypi/matrix-synapse@1.20.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2q41-366b-jfbs"},{"vulnerability":"VCID-2uq2-kcfr-87gr"},{"vulnerability":"VCID-3sbj-6gut-cybe"},{"vulnerability":"VCID-4vve-jkk2-rueg"},{"vulnerability":"VCID-57xv-u1be-mfez"},{"vulnerability":"VCID-6bx9-6prt-vffg"},{"vulnerability":"VCID-9jy7-pnmw-1bbq"},{"vulnerability":"VCID-9t8r-dp58-xydr"},{"vulnerability":"VCID-b461-xbt2-9fg1"},{"vulnerability":"VCID-bmw9-6jkv-t3ds"},{"vulnerability":"VCID-bnz6-nw3z-77gd"},{"vulnerability":"VCID-buj8-8fqz-yyfe"},{"vulnerability":"VCID-d6yz-j1f9-cfec"},{"vulnerability":"VCID-djck-vkte-q7he"},{"vulnerability":"VCID-ewxj-3jt9-p7af"},{"vulnerability":"VCID-ftmr-xpa4-mbfd"},{"vulnerability":"VCID-gre7-9vu7-vqdh"},{"vulnerability":"VCID-j8zw-nzgv-mkeq"},{"vulnerability":"VCID-jsxu-cjjr-nfhw"},{"vulnerability":"VCID-mgxc-w86p-yqcm"},{"vulnerability":"VCID-p7my-33nz-puhn"},{"vulnerability":"VCID-rab2-vwyz-ufdt"},{"vulnerability":"VCID-swgx-he8k-1qhy"},{"vulnerability":"VCID-ubx5-xans-8bey"},{"vulnerability":"VCID-z4xn-smp8-tfcj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.20.0"}],"aliases":["CVE-2020-26890","GHSA-4mp3-385r-v63f","PYSEC-2020-237"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mqta-hmxv-duh6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35776?format=json","vulnerability_id":"VCID-p7my-33nz-puhn","summary":"Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identifiers could cause excessive use of disk space and memory leading to resource exhaustion. Note that the groups feature is not part of the Matrix specification and the chosen maximum lengths are arbitrary. Not all clients might abide by them. Refer to referenced GitHub security advisory for additional details including workarounds.","references":[{"reference_url":"https://github.com/matrix-org/synapse","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse"},{"reference_url":"https://github.com/matrix-org/synapse/commit/3f58fc848d0002de4605bed91603a1f9f245d128","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/commit/3f58fc848d0002de4605bed91603a1f9f245d128"},{"reference_url":"https://github.com/matrix-org/synapse/commit/d2f0ec12d5c8f113095408888e87e191ac546499","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/commit/d2f0ec12d5c8f113095408888e87e191ac546499"},{"reference_url":"https://github.com/matrix-org/synapse/pull/9321","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/pull/9321"},{"reference_url":"https://github.com/matrix-org/synapse/pull/9393","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/pull/9393"},{"reference_url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-jrh7-mhhx-6h88","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-jrh7-mhhx-6h88"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-26.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2021-26.yaml"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNNAJOZNMVMXM6AS7RFFKB4QLUJ4IFEY"},{"reference_url":"https://pypi.org/project/matrix-synapse","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://pypi.org/project/matrix-synapse"},{"reference_url":"https://pypi.org/project/matrix-synapse/","reference_id":"","reference_type":"","scores":[],"url":"https://pypi.org/project/matrix-synapse/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21393","reference_id":"CVE-2021-21393","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21393"},{"reference_url":"https://github.com/advisories/GHSA-jrh7-mhhx-6h88","reference_id":"GHSA-jrh7-mhhx-6h88","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-jrh7-mhhx-6h88"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/21485?format=json","purl":"pkg:pypi/matrix-synapse@1.28.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2q41-366b-jfbs"},{"vulnerability":"VCID-2uq2-kcfr-87gr"},{"vulnerability":"VCID-3sbj-6gut-cybe"},{"vulnerability":"VCID-4vve-jkk2-rueg"},{"vulnerability":"VCID-57xv-u1be-mfez"},{"vulnerability":"VCID-9t8r-dp58-xydr"},{"vulnerability":"VCID-b461-xbt2-9fg1"},{"vulnerability":"VCID-bnz6-nw3z-77gd"},{"vulnerability":"VCID-d6yz-j1f9-cfec"},{"vulnerability":"VCID-djck-vkte-q7he"},{"vulnerability":"VCID-ewxj-3jt9-p7af"},{"vulnerability":"VCID-ftmr-xpa4-mbfd"},{"vulnerability":"VCID-gre7-9vu7-vqdh"},{"vulnerability":"VCID-mgxc-w86p-yqcm"},{"vulnerability":"VCID-ubx5-xans-8bey"},{"vulnerability":"VCID-z4xn-smp8-tfcj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.28.0"}],"aliases":["CVE-2021-21393","GHSA-jrh7-mhhx-6h88","PYSEC-2021-26"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-p7my-33nz-puhn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/6179?format=json","vulnerability_id":"VCID-qgzv-dqh8-c3gp","summary":"private key recovery","references":[{"reference_url":"https://github.com/matrix-org/synapse","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/matrix-org/synapse"},{"reference_url":"https://github.com/matrix-org/synapse/blob/67f9e5293ea6650b2ec284c0b7503f3f3eade94b/docs/changelogs/CHANGES-pre-1.0.md?plain=1#L460","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/matrix-org/synapse/blob/67f9e5293ea6650b2ec284c0b7503f3f3eade94b/docs/changelogs/CHANGES-pre-1.0.md?plain=1#L460"},{"reference_url":"https://github.com/matrix-org/synapse/issues/4664","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/matrix-org/synapse/issues/4664"},{"reference_url":"https://github.com/matrix-org/synapse/pull/4315","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/matrix-org/synapse/pull/4315"},{"reference_url":"https://github.com/matrix-org/synapse/pull/4373","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/matrix-org/synapse/pull/4373"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2019-187.yaml","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2019-187.yaml"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/32Y6KD3OAHCG5P33HC2QEX3NUZOSXCGZ","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/32Y6KD3OAHCG5P33HC2QEX3NUZOSXCGZ"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/32Y6KD3OAHCG5P33HC2QEX3NUZOSXCGZ/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/32Y6KD3OAHCG5P33HC2QEX3NUZOSXCGZ/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VMCLO5PUPBA756UKY72PKUWL4RRM4W6K","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VMCLO5PUPBA756UKY72PKUWL4RRM4W6K"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VMCLO5PUPBA756UKY72PKUWL4RRM4W6K/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VMCLO5PUPBA756UKY72PKUWL4RRM4W6K/"},{"reference_url":"https://matrix.org/blog/2019/01/10/critical-security-update-synapse-0-34-0-1-synapse-0-34-1-1","reference_id":"","reference_type":"","scores":[],"url":"https://matrix.org/blog/2019/01/10/critical-security-update-synapse-0-34-0-1-synapse-0-34-1-1"},{"reference_url":"https://matrix.org/blog/2019/01/10/critical-security-update-synapse-0-34-0-1-synapse-0-34-1-1/","reference_id":"","reference_type":"","scores":[],"url":"https://matrix.org/blog/2019/01/10/critical-security-update-synapse-0-34-0-1-synapse-0-34-1-1/"},{"reference_url":"https://matrix.org/blog/2019/01/15/further-details-on-critical-security-update-in-synapse-affecting-all-versions-prior-to-0-34-1-cve-2019-5885","reference_id":"","reference_type":"","scores":[],"url":"https://matrix.org/blog/2019/01/15/further-details-on-critical-security-update-in-synapse-affecting-all-versions-prior-to-0-34-1-cve-2019-5885"},{"reference_url":"https://matrix.org/blog/2019/01/15/further-details-on-critical-security-update-in-synapse-affecting-all-versions-prior-to-0-34-1-cve-2019-5885/","reference_id":"","reference_type":"","scores":[],"url":"https://matrix.org/blog/2019/01/15/further-details-on-critical-security-update-in-synapse-affecting-all-versions-prior-to-0-34-1-cve-2019-5885/"},{"reference_url":"https://security.archlinux.org/ASA-201901-12","reference_id":"ASA-201901-12","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-201901-12"},{"reference_url":"https://security.archlinux.org/AVG-846","reference_id":"AVG-846","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-846"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-5885","reference_id":"CVE-2019-5885","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-5885"},{"reference_url":"https://github.com/advisories/GHSA-jrqm-v8cv-53ww","reference_id":"GHSA-jrqm-v8cv-53ww","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-jrqm-v8cv-53ww"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/13105?format=json","purl":"pkg:pypi/matrix-synapse@0.34.0.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2q41-366b-jfbs"},{"vulnerability":"VCID-2uq2-kcfr-87gr"},{"vulnerability":"VCID-3sbj-6gut-cybe"},{"vulnerability":"VCID-4vve-jkk2-rueg"},{"vulnerability":"VCID-57xv-u1be-mfez"},{"vulnerability":"VCID-6bx9-6prt-vffg"},{"vulnerability":"VCID-9jy7-pnmw-1bbq"},{"vulnerability":"VCID-9t8r-dp58-xydr"},{"vulnerability":"VCID-b461-xbt2-9fg1"},{"vulnerability":"VCID-bmw9-6jkv-t3ds"},{"vulnerability":"VCID-bnz6-nw3z-77gd"},{"vulnerability":"VCID-buj8-8fqz-yyfe"},{"vulnerability":"VCID-d6yz-j1f9-cfec"},{"vulnerability":"VCID-djck-vkte-q7he"},{"vulnerability":"VCID-ewxj-3jt9-p7af"},{"vulnerability":"VCID-ftmr-xpa4-mbfd"},{"vulnerability":"VCID-gmab-mbjg-gbet"},{"vulnerability":"VCID-gre7-9vu7-vqdh"},{"vulnerability":"VCID-j8zw-nzgv-mkeq"},{"vulnerability":"VCID-mgxc-w86p-yqcm"},{"vulnerability":"VCID-mqta-hmxv-duh6"},{"vulnerability":"VCID-p7my-33nz-puhn"},{"vulnerability":"VCID-rab2-vwyz-ufdt"},{"vulnerability":"VCID-swgx-he8k-1qhy"},{"vulnerability":"VCID-ubx5-xans-8bey"},{"vulnerability":"VCID-z4xn-smp8-tfcj"},{"vulnerability":"VCID-zc47-w46p-9bhx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@0.34.0.1"}],"aliases":["CVE-2019-5885","GHSA-jrqm-v8cv-53ww","PYSEC-2019-187"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qgzv-dqh8-c3gp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35690?format=json","vulnerability_id":"VCID-rab2-vwyz-ufdt","summary":"Matrix is an ecosystem for open federated Instant Messaging and VoIP. Synapse is a reference \"homeserver\" implementation of Matrix. A malicious or poorly-implemented homeserver can inject malformed events into a room by specifying a different room id in the path of a `/send_join`, `/send_leave`, `/invite` or `/exchange_third_party_invite` request. This can lead to a denial of service in which future events will not be correctly sent to other servers over federation. This affects any server which accepts federation requests from untrusted servers. The Matrix Synapse reference implementation before version 1.23.1 the implementation is vulnerable to this injection attack. Issue is fixed in version 1.23.1. As a workaround homeserver administrators could limit access to the federation API to trusted servers (for example via `federation_domain_whitelist`).","references":[{"reference_url":"https://github.com/matrix-org/synapse/blob/develop/CHANGES.md#synapse-1231-2020-12-09","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/blob/develop/CHANGES.md#synapse-1231-2020-12-09"},{"reference_url":"https://github.com/matrix-org/synapse/commit/3ce2f303f15f6ac3dc352298972dc6e04d9b7a8b","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/commit/3ce2f303f15f6ac3dc352298972dc6e04d9b7a8b"},{"reference_url":"https://github.com/matrix-org/synapse/pull/8776","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/pull/8776"},{"reference_url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-hxmp-pqch-c8mm","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-hxmp-pqch-c8mm"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2020-236.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2020-236.yaml"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DBTIU3ZNBFWZ56V4X7JIAD33V5H2GOMC","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DBTIU3ZNBFWZ56V4X7JIAD33V5H2GOMC"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DBTIU3ZNBFWZ56V4X7JIAD33V5H2GOMC/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DBTIU3ZNBFWZ56V4X7JIAD33V5H2GOMC/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QR4MMYZKX5N5GYGH4H5LBUUC5TLAFHI7","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QR4MMYZKX5N5GYGH4H5LBUUC5TLAFHI7"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QR4MMYZKX5N5GYGH4H5LBUUC5TLAFHI7/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QR4MMYZKX5N5GYGH4H5LBUUC5TLAFHI7/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-26257","reference_id":"CVE-2020-26257","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-26257"},{"reference_url":"https://github.com/advisories/GHSA-hxmp-pqch-c8mm","reference_id":"GHSA-hxmp-pqch-c8mm","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-hxmp-pqch-c8mm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/19296?format=json","purl":"pkg:pypi/matrix-synapse@1.23.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2q41-366b-jfbs"},{"vulnerability":"VCID-2uq2-kcfr-87gr"},{"vulnerability":"VCID-3sbj-6gut-cybe"},{"vulnerability":"VCID-4vve-jkk2-rueg"},{"vulnerability":"VCID-57xv-u1be-mfez"},{"vulnerability":"VCID-6bx9-6prt-vffg"},{"vulnerability":"VCID-9jy7-pnmw-1bbq"},{"vulnerability":"VCID-9t8r-dp58-xydr"},{"vulnerability":"VCID-b461-xbt2-9fg1"},{"vulnerability":"VCID-bmw9-6jkv-t3ds"},{"vulnerability":"VCID-bnz6-nw3z-77gd"},{"vulnerability":"VCID-buj8-8fqz-yyfe"},{"vulnerability":"VCID-d6yz-j1f9-cfec"},{"vulnerability":"VCID-djck-vkte-q7he"},{"vulnerability":"VCID-ewxj-3jt9-p7af"},{"vulnerability":"VCID-ftmr-xpa4-mbfd"},{"vulnerability":"VCID-gre7-9vu7-vqdh"},{"vulnerability":"VCID-j8zw-nzgv-mkeq"},{"vulnerability":"VCID-jsxu-cjjr-nfhw"},{"vulnerability":"VCID-mgxc-w86p-yqcm"},{"vulnerability":"VCID-p7my-33nz-puhn"},{"vulnerability":"VCID-ubx5-xans-8bey"},{"vulnerability":"VCID-z4xn-smp8-tfcj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.23.1"}],"aliases":["CVE-2020-26257","GHSA-hxmp-pqch-c8mm","PYSEC-2020-236"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rab2-vwyz-ufdt"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/5821?format=json","vulnerability_id":"VCID-swgx-he8k-1qhy","summary":"cross-site scripting","references":[{"reference_url":"https://github.com/matrix-org/synapse","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse"},{"reference_url":"https://github.com/matrix-org/synapse/pull/8444","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/pull/8444"},{"reference_url":"https://github.com/matrix-org/synapse/releases","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/releases"},{"reference_url":"https://github.com/matrix-org/synapse/releases/tag/v1.21.2","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/releases/tag/v1.21.2"},{"reference_url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-3x8c-fmpc-5rmq","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-3x8c-fmpc-5rmq"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2020-238.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2020-238.yaml"},{"reference_url":"https://matrix.org/blog/2020/10/15/synapse-1-21-2-released-and-security-advisory","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://matrix.org/blog/2020/10/15/synapse-1-21-2-released-and-security-advisory"},{"reference_url":"https://security.archlinux.org/ASA-202011-4","reference_id":"ASA-202011-4","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-202011-4"},{"reference_url":"https://security.archlinux.org/AVG-1252","reference_id":"AVG-1252","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1252"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-26891","reference_id":"CVE-2020-26891","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-26891"},{"reference_url":"https://github.com/advisories/GHSA-3x8c-fmpc-5rmq","reference_id":"GHSA-3x8c-fmpc-5rmq","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-3x8c-fmpc-5rmq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/18648?format=json","purl":"pkg:pypi/matrix-synapse@1.21.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2q41-366b-jfbs"},{"vulnerability":"VCID-2uq2-kcfr-87gr"},{"vulnerability":"VCID-3sbj-6gut-cybe"},{"vulnerability":"VCID-4vve-jkk2-rueg"},{"vulnerability":"VCID-57xv-u1be-mfez"},{"vulnerability":"VCID-6bx9-6prt-vffg"},{"vulnerability":"VCID-9jy7-pnmw-1bbq"},{"vulnerability":"VCID-9t8r-dp58-xydr"},{"vulnerability":"VCID-b461-xbt2-9fg1"},{"vulnerability":"VCID-bmw9-6jkv-t3ds"},{"vulnerability":"VCID-bnz6-nw3z-77gd"},{"vulnerability":"VCID-buj8-8fqz-yyfe"},{"vulnerability":"VCID-d6yz-j1f9-cfec"},{"vulnerability":"VCID-djck-vkte-q7he"},{"vulnerability":"VCID-ewxj-3jt9-p7af"},{"vulnerability":"VCID-ftmr-xpa4-mbfd"},{"vulnerability":"VCID-gre7-9vu7-vqdh"},{"vulnerability":"VCID-j8zw-nzgv-mkeq"},{"vulnerability":"VCID-jsxu-cjjr-nfhw"},{"vulnerability":"VCID-mgxc-w86p-yqcm"},{"vulnerability":"VCID-p7my-33nz-puhn"},{"vulnerability":"VCID-rab2-vwyz-ufdt"},{"vulnerability":"VCID-ubx5-xans-8bey"},{"vulnerability":"VCID-z4xn-smp8-tfcj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.21.0"}],"aliases":["CVE-2020-26891","GHSA-3x8c-fmpc-5rmq","PYSEC-2020-238"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-swgx-he8k-1qhy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36451?format=json","vulnerability_id":"VCID-ubx5-xans-8bey","summary":"Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. A malicious user on a Synapse homeserver X with permission to create certain state events can disable outbound federation from X to an arbitrary homeserver Y. Synapse instances with federation disabled are not affected. In versions of Synapse up to and including 1.73, Synapse did not limit the size of `invite_room_state`, meaning that it was possible to create an arbitrarily large invite event. Synapse 1.74 refuses to create oversized `invite_room_state` fields. Server operators should upgrade to Synapse 1.74 or newer urgently.","references":[{"reference_url":"https://github.com/matrix-org/synapse","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse"},{"reference_url":"https://github.com/matrix-org/synapse/issues/14492","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/issues/14492"},{"reference_url":"https://github.com/matrix-org/synapse/pull/14642","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/pull/14642"},{"reference_url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-f3wc-3vxv-xmvr","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/synapse/security/advisories/GHSA-f3wc-3vxv-xmvr"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2023-67.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2023-67.yaml"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJIJRP5ZH6B3KGFLHCAKR2IX2Y4Z25QD","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJIJRP5ZH6B3KGFLHCAKR2IX2Y4Z25QD"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-32323","reference_id":"CVE-2023-32323","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-32323"},{"reference_url":"https://github.com/advisories/GHSA-f3wc-3vxv-xmvr","reference_id":"GHSA-f3wc-3vxv-xmvr","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-f3wc-3vxv-xmvr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/33841?format=json","purl":"pkg:pypi/matrix-synapse@1.74.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2q41-366b-jfbs"},{"vulnerability":"VCID-2uq2-kcfr-87gr"},{"vulnerability":"VCID-4vve-jkk2-rueg"},{"vulnerability":"VCID-57xv-u1be-mfez"},{"vulnerability":"VCID-8zas-gnpp-3qfd"},{"vulnerability":"VCID-9t8r-dp58-xydr"},{"vulnerability":"VCID-ewxj-3jt9-p7af"},{"vulnerability":"VCID-mgxc-w86p-yqcm"},{"vulnerability":"VCID-w6fr-65fa-9yhb"},{"vulnerability":"VCID-z4xn-smp8-tfcj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.74.0"}],"aliases":["CVE-2023-32323","GHSA-f3wc-3vxv-xmvr","PYSEC-2023-67"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ubx5-xans-8bey"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36947?format=json","vulnerability_id":"VCID-z4xn-smp8-tfcj","summary":"Synapse is an open-source Matrix homeserver. Synapse versions before 1.106 are vulnerable to a disk fill attack, where an unauthenticated adversary can induce Synapse to download and cache large amounts of remote media. The default rate limit strategy is insufficient to mitigate this. This can lead to a denial of service, ranging from further media uploads/downloads failing to completely unavailability of the Synapse process, depending on how Synapse was deployed. Synapse 1.106 introduces a new \"leaky bucket\" rate limit on remote media downloads to reduce the amount of data a user can request at a time. This does not fully address the issue, but does limit an unauthenticated user's ability to request large amounts of data to be cached.","references":[{"reference_url":"https://github.com/element-hq/synapse","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/element-hq/synapse"},{"reference_url":"https://github.com/element-hq/synapse/security/advisories/GHSA-4mhg-xv73-xq2x","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/element-hq/synapse/security/advisories/GHSA-4mhg-xv73-xq2x"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-37302","reference_id":"CVE-2024-37302","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-37302"},{"reference_url":"https://github.com/advisories/GHSA-4mhg-xv73-xq2x","reference_id":"GHSA-4mhg-xv73-xq2x","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-4mhg-xv73-xq2x"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/83453?format=json","purl":"pkg:pypi/matrix-synapse@1.106","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.106"},{"url":"http://public2.vulnerablecode.io/api/packages/44195?format=json","purl":"pkg:pypi/matrix-synapse@1.106.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-57xv-u1be-mfez"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.106.0"}],"aliases":["CVE-2024-37302","GHSA-4mhg-xv73-xq2x","PYSEC-2024-286"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-z4xn-smp8-tfcj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35360?format=json","vulnerability_id":"VCID-zc47-w46p-9bhx","summary":"An issue was discovered in Matrix Sydent before 1.0.3 and Synapse before 0.99.3.1. Random number generation is mishandled, which makes it easier for attackers to predict a Sydent authentication token or a Synapse random ID.","references":[{"reference_url":"https://github.com/advisories/GHSA-gwf7-vfjf-wf6x","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-gwf7-vfjf-wf6x"},{"reference_url":"https://matrix.org/blog/2019/05/03/security-updates-sydent-1-0-3-synapse-0-99-3-1-and-riot-android-0-9-0-0-8-99-0-8-28-a/","reference_id":"","reference_type":"","scores":[],"url":"https://matrix.org/blog/2019/05/03/security-updates-sydent-1-0-3-synapse-0-99-3-1-and-riot-android-0-9-0-0-8-99-0-8-28-a/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/13461?format=json","purl":"pkg:pypi/matrix-synapse@0.99.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2q41-366b-jfbs"},{"vulnerability":"VCID-2uq2-kcfr-87gr"},{"vulnerability":"VCID-3sbj-6gut-cybe"},{"vulnerability":"VCID-4vve-jkk2-rueg"},{"vulnerability":"VCID-57xv-u1be-mfez"},{"vulnerability":"VCID-6bx9-6prt-vffg"},{"vulnerability":"VCID-9jy7-pnmw-1bbq"},{"vulnerability":"VCID-9t8r-dp58-xydr"},{"vulnerability":"VCID-b461-xbt2-9fg1"},{"vulnerability":"VCID-bmw9-6jkv-t3ds"},{"vulnerability":"VCID-bnz6-nw3z-77gd"},{"vulnerability":"VCID-buj8-8fqz-yyfe"},{"vulnerability":"VCID-d6yz-j1f9-cfec"},{"vulnerability":"VCID-djck-vkte-q7he"},{"vulnerability":"VCID-ewxj-3jt9-p7af"},{"vulnerability":"VCID-ftmr-xpa4-mbfd"},{"vulnerability":"VCID-gmab-mbjg-gbet"},{"vulnerability":"VCID-gre7-9vu7-vqdh"},{"vulnerability":"VCID-j8zw-nzgv-mkeq"},{"vulnerability":"VCID-jsxu-cjjr-nfhw"},{"vulnerability":"VCID-mgxc-w86p-yqcm"},{"vulnerability":"VCID-mqta-hmxv-duh6"},{"vulnerability":"VCID-p7my-33nz-puhn"},{"vulnerability":"VCID-rab2-vwyz-ufdt"},{"vulnerability":"VCID-swgx-he8k-1qhy"},{"vulnerability":"VCID-ubx5-xans-8bey"},{"vulnerability":"VCID-z4xn-smp8-tfcj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@0.99.3.1"}],"aliases":["CVE-2019-11842","GHSA-gwf7-vfjf-wf6x","PYSEC-2019-185"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zc47-w46p-9bhx"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@0.33.9"}