CVE-2023-43796: Exposure of Sensitive Information to an Unauthorized Actor

October 31, 2023 (updated January 7, 2024)

Synapse is an open-source Matrix homeserver Prior to versions 1.95.1 and 1.96.0rc1, cached device information of remote users can be queried from Synapse. This can be used to enumerate the remote users known to a homeserver. System administrators are encouraged to upgrade to Synapse 1.95.1 or 1.96.0rc1 to receive a patch. As a workaround, the federation_domain_allow list can be used to limit federation traffic with a homeserver.

References

github.com/advisories/GHSA-mp92-3jfm-3575
github.com/matrix-org/synapse/commit/daec55e1fe120c564240c5386e77941372bf458f
github.com/matrix-org/synapse/security/advisories/GHSA-mp92-3jfm-3575
nvd.nist.gov/vuln/detail/CVE-2023-43796

Detect and mitigate CVE-2023-43796 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →