CVE-2022-31152 : Synapse is an open-source Matrix homeserver written and maintained by the Matrix

Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. The Matrix specification specifies a list of [event authorization rules](https://spec.matrix.org/v1.2/rooms/v9/#authorization-rules) which must be checked when determining if an event should be accepted into a room. In versions of Synapse up to and including version 1.61.0, some of these rules are not correctly applied. An attacker could craft events which would be accepted by Synapse but not a spec-conformant server, potentially causing divergence in the room state between servers. Administrators of homeservers with federation enabled are advised to upgrade to version 1.62.0 or higher. Federation can be disabled by setting [`federation_domain_whitelist`](https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#federation_domain_whitelist) to an empty list (`[]`) as a workaround.

Published 2022-09-02 20:15:08

Updated 2022-09-09 03:21:59

Source GitHub, Inc.

View at NVD, CVE.org

Products affected by CVE-2022-31152

Matrix » Synapse
Versions before (<) 1.62.0
cpe:2.3:a:matrix:synapse:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-31152

EPSS FAQ

0.12%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 29 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-31152

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H	3.9	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High
6.4	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H	1.6	4.7	GitHub, Inc.
Attack Vector: Network Attack Complexity: High Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: Low Availability: High

CWE ids for CVE-2022-31152

CWE-703 Improper Check or Handling of Exceptional Conditions

The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product.

Assigned by: security-advisories@github.com (Secondary)
CWE-755 Improper Handling of Exceptional Conditions

The product does not handle or incorrectly handles an exceptional condition.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2022-31152

https://github.com/matrix-org/synapse/pull/13088

Fix inconsistencies in event validation by richvdh · Pull Request #13088 · matrix-org/synapse · GitHub
Issue Tracking;Patch;Third Party Advisory
https://github.com/matrix-org/synapse/pull/13087

Fix inconsistencies in event validation for `m.room.create` events by richvdh · Pull Request #13087 · matrix-org/synapse · GitHub
Issue Tracking;Patch;Third Party Advisory
https://github.com/matrix-org/synapse/releases/tag/v1.62.0

Release v1.62.0 · matrix-org/synapse · GitHub
Release Notes;Third Party Advisory
https://github.com/matrix-org/synapse/security/advisories/GHSA-jhjh-776m-4765

Denial of service due to incorrect application of event authorization rules · Advisory · matrix-org/synapse · GitHub
Issue Tracking;Mitigation;Third Party Advisory

Jump to

Vulnerability Details : CVE-2022-31152

Products affected by CVE-2022-31152

Exploit prediction scoring system (EPSS) score for CVE-2022-31152

CVSS scores for CVE-2022-31152

CWE ids for CVE-2022-31152

References for CVE-2022-31152