CVE-2019-11842: matrix-sydent and matrix-synapse Use Cryptographically Weak PRNG

May 24, 2022 (updated September 30, 2024)

An issue was discovered in Matrix Sydent before 1.0.3 and Synapse before 0.99.3.1. Random number generation is mishandled, which makes it easier for attackers to predict a Sydent authentication token or a Synapse random ID.

References

github.com/advisories/GHSA-gwf7-vfjf-wf6x
github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2019-185.yaml
matrix.org/blog/2019/05/03/security-updates-sydent-1-0-3-synapse-0-99-3-1-and-riot-android-0-9-0-0-8-99-0-8-28-a
nvd.nist.gov/vuln/detail/CVE-2019-11842

Detect and mitigate CVE-2019-11842 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →