Alpine: multiple synapse packages: security update to 1.93.0-r0

medium Tenable Self-Hosted Container Security Plugin ID 407310

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. When
users update their passwords, the new credentials may be briefly held in the server database. While this
doesn't grant the server any added capabilities—it already learns the users' passwords as part of the
authentication process—it does disrupt the expectation that passwords won't be stored in the database. As
a result, these passwords could inadvertently be captured in database backups for a longer duration. These
temporarily stored passwords are automatically erased after a 48-hour window. This issue has been
addressed in version 1.93.0. Users are advised to upgrade. There are no known workarounds for this issue.
(CVE-2023-41335)

- Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. Users
were able to forge read receipts for any event (if they knew the room ID and event ID). Note that the
users were not able to view the events, but simply mark it as read. This could be confusing as clients
will show the event as read by the user, even if they are not in the room. This issue has been patched in
version 1.93.0. Users are advised to upgrade. There are no known workarounds for this issue.
(CVE-2023-42453)

See Also

https://security.alpinelinux.org/vuln/CVE-2023-41335

https://security.alpinelinux.org/vuln/CVE-2023-42453

Plugin Details

Severity: Medium

ID: 407310

Version: Revision 1.47

Type: Local

Published: 10/31/2023

Updated: 9/29/2025

Supported Sensors: Agentless Assessment

Risk Information

VPR

Risk Factor: Low

Score: 2.1

Percentile: 7.51

CVSS v2

Risk Factor: Medium

Base Score: 4

Temporal Score: 3

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:N

CVSS Score Source: CVE-2023-42453

CVSS v3

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.8

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 9/26/2023

Reference Information

CVE: CVE-2023-41335, CVE-2023-42453