CVE-2019-18835: Improper Verification of Cryptographic Signature in matrix-synapse
(updated )
Matrix Synapse before 1.5.0 mishandles signature checking on some federation APIs. Events sent over /send_join, /send_leave, and /invite may not be correctly signed, or may not come from the expected servers.
References
- github.com/advisories/GHSA-cppw-2mf8-qpm5
- github.com/matrix-org/synapse
- github.com/matrix-org/synapse/commit/172f264ed38e8bef857552f93114b4ee113a880b
- github.com/matrix-org/synapse/pull/6262
- github.com/matrix-org/synapse/releases/tag/v1.5.0
- github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2019-186.yaml
- nvd.nist.gov/vuln/detail/CVE-2019-18835
Code Behaviors & Features
Detect and mitigate CVE-2019-18835 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →