CVE-2022-31152: Denial of service due to incorrect application of event authorization rules
(updated )
The Matrix specification specifies a list of event authorization rules which must be checked when determining if an event should be accepted into a room.
In versions of Synapse up to and including v1.61, some of these rules are not correctly applied. An attacker could craft events which would be accepted by Synapse but not a spec-conformant server, potentially causing divergence in the room state between servers.
References
- github.com/advisories/GHSA-jhjh-776m-4765
- github.com/matrix-org/synapse
- github.com/matrix-org/synapse/commit/d4b1c0d800eaa83c4d56a9cf17881ad362b9194b
- github.com/matrix-org/synapse/commit/e16ea87d0f8c4c30cad36f85488eb1f647e640b0
- github.com/matrix-org/synapse/pull/13087
- github.com/matrix-org/synapse/pull/13088
- github.com/matrix-org/synapse/releases/tag/v1.62.0
- github.com/matrix-org/synapse/security/advisories/GHSA-jhjh-776m-4765
- github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2022-262.yaml
- nvd.nist.gov/vuln/detail/CVE-2022-31152
Detect and mitigate CVE-2022-31152 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →