Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. The Matrix Federation API allows remote homeservers to request the authorization events in a room. This is necessary so that a homeserver receiving some events can validate that those events are legitimate and permitted in their room. However, in versions of Synapse up to and including 1.68.0, a Synapse homeserver answering a query for authorization events does not sufficiently check that the requesting server should be able to access them. The issue was patched in Synapse 1.69.0. Homeserver administrators are advised to upgrade.

The remote Ubuntu 18.04 LTS / 20.04 LTS / 22.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-7444-1 advisory.

    It was discovered that Synapse network policies could be bypassed via specially crafted URLs. An attacker     could possibly use this issue to bypass authentication mechanisms. (CVE-2023-32683)

    It was discovered that Synapse exposed cached device information. An attacker could possibly use this     issue to gain access to sensitive information. (CVE-2023-43796)

    It was discovered that Synapse could be tricked into rejecting state changes in rooms. An attacker could     possibly use this issue to cause Synapse to stop functioning properly, resulting in a denial of service.
    This issue was only fixed in Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2022-39374)

    It was discovered that Synapse stored user credentials in a server's database temporarily. An attacker     could possibly use this issue to gain access to sensitive information. This issue was only fixed in Ubuntu     22.04 LTS. (CVE-2023-41335)

    It was discovered that Synapse could incorrectly respond to server authorization events. An attacker could     possibly use this issue to bypass authentication mechanisms. This issue was only fixed in Ubuntu 22.04     LTS. (CVE-2022-39335)

    It was discovered that Synapse could be manipulated to mark messages as read when they had not been     viewed. An attacker could possibly use this issue to perform repudiation-based attacks. This issue was     only fixed in Ubuntu 22.04 LTS. (CVE-2023-42453)

    It was discovered that Synapse had several memory-related issues. An attacker could possibly use this     issue to cause Synapse to crash, resulting in a denial of service. This issue was only fixed in Ubuntu     22.04 LTS. (CVE-2024-31208)

    It was discovered that Synapse could run external tools due to a unchecked thumbnail rendering routine. An     attacker could possibly use this issue to cause Synapse to crash, resulting in a denial of service, or     execute arbitrary code. This issue was only fixed in Ubuntu 22.04 LTS. (CVE-2024-53863)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 37 host has packages installed that are affected by multiple vulnerabilities as referenced in the FEDORA-2023-c0696d7b53 advisory.

    Update matrix-synapse to v1.80.0 to fix CVE-2022-39374, CVE-2023-32323

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 37 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2023-eb65439ec0 advisory.

    Security fix for CVE-2022-39335

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
234734	Ubuntu 18.04 LTS / 20.04 LTS / 22.04 LTS : Synapse vulnerabilities (USN-7444-1)	Nessus	Ubuntu Local Security Checks	high
181518	Fedora 37 : matrix-synapse / python-matrix-common / rust-pythonize (2023-c0696d7b53)	Nessus	Fedora Local Security Checks	medium
177094	Fedora 37 : matrix-synapse (2023-eb65439ec0)	Nessus	Fedora Local Security Checks	medium

Detections

Analytics

CVE-2022-39335

high

Tenable Plugins

high

medium

medium