New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.


Matrix is an ecosystem for open federated Instant Messaging and Voice over IP. In versions 1.41.0 and prior, unauthorised users can access the membership (list of members, with their display names) of a room if they know the ID of the room. The vulnerability is limited to rooms with `shared` history visibility. Furthermore, the unauthorised user must be using an account on a vulnerable homeserver that is in the room. Server administrators should upgrade to 1.41.1 or later in order to receive the patch. One workaround is available. Administrators of servers that use a reverse proxy could, with potentially unacceptable loss of functionality, block the endpoints: `/_matrix/client/r0/rooms/{room_id}/members` with `at` query parameter, and `/_matrix/client/unstable/rooms/{room_id}/members` with `at` query parameter.

References[email protected]/message/PXT7ID7DNBRN2TVTETU3SYQHJKEG6PXN/[email protected]/message/2VHDEPCZ22GJFMZCWA2XZAGPOEV72POF/


Source: MITRE

Published: 2021-08-31

Updated: 2021-09-24

Type: CWE-200

Risk Information


Base Score: 3.5

Vector: AV:N/AC:M/Au:S/C:P/I:N/A:N

Impact Score: 2.9

Exploitability Score: 6.8

Severity: LOW


Base Score: 3.1

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

Impact Score: 1.4

Exploitability Score: 1.6

Severity: LOW

Tenable Plugins

View all (1 total)

153074FreeBSD : py-matrix-synapse -- several vulnerabilities (a67e358c-0bf6-11ec-875e-901b0e9408dc)NessusFreeBSD Local Security Checks