{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-39374", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2022-09-02T14:16:35.887Z", "datePublished": "2023-05-26T13:44:44.113Z", "dateUpdated": "2025-02-13T16:33:00.253Z"}, "containers": {"cna": {"title": "Synapse Denial of service due to incorrect application of event authorization rules during state resolution", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}}], "references": [{"name": "https://github.com/matrix-org/synapse/security/advisories/GHSA-p9qp-c452-f9r7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-p9qp-c452-f9r7"}, {"name": "https://github.com/matrix-org/synapse/pull/13723", "tags": ["x_refsource_MISC"], "url": "https://github.com/matrix-org/synapse/pull/13723"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJIJRP5ZH6B3KGFLHCAKR2IX2Y4Z25QD/"}], "affected": [{"vendor": "matrix-org", "product": "synapse", "versions": [{"version": ">= 1.62.0, < 1.68.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-09-18T03:06:09.380Z"}, "descriptions": [{"lang": "en", "value": "Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. If Synapse and a malicious homeserver are both joined to the same room, the malicious homeserver can trick Synapse into accepting previously rejected events into its view of the current state of that room. This can be exploited in a way that causes all further messages and state changes sent in that room from the vulnerable homeserver to be rejected. This issue has been patched in version 1.68.0"}], "source": {"advisory": "GHSA-p9qp-c452-f9r7", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T12:00:44.179Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/matrix-org/synapse/security/advisories/GHSA-p9qp-c452-f9r7", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-p9qp-c452-f9r7"}, {"name": "https://github.com/matrix-org/synapse/pull/13723", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/matrix-org/synapse/pull/13723"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJIJRP5ZH6B3KGFLHCAKR2IX2Y4Z25QD/", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-01-15T15:33:57.407441Z", "id": "CVE-2022-39374", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-15T15:34:02.534Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-p9qp-c452-f9r7", "name": "https://github.com/matrix-org/synapse/security/advisories/GHSA-p9qp-c452-f9r7", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/matrix-org/synapse/pull/13723", "name": "https://github.com/matrix-org/synapse/pull/13723", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJIJRP5ZH6B3KGFLHCAKR2IX2Y4Z25QD/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T12:00:44.179Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-39374", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-01-15T15:33:57.407441Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-15T15:33:43.240Z"}}], "cna": {"title": "Synapse Denial of service due to incorrect application of event authorization rules during state resolution", "source": {"advisory": "GHSA-p9qp-c452-f9r7", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_0": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "matrix-org", "product": "synapse", "versions": [{"status": "affected", "version": ">= 1.62.0, < 1.68.0"}]}], "references": [{"url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-p9qp-c452-f9r7", "name": "https://github.com/matrix-org/synapse/security/advisories/GHSA-p9qp-c452-f9r7", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/matrix-org/synapse/pull/13723", "name": "https://github.com/matrix-org/synapse/pull/13723", "tags": ["x_refsource_MISC"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJIJRP5ZH6B3KGFLHCAKR2IX2Y4Z25QD/"}], "descriptions": [{"lang": "en", "value": "Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. If Synapse and a malicious homeserver are both joined to the same room, the malicious homeserver can trick Synapse into accepting previously rejected events into its view of the current state of that room. This can be exploited in a way that causes all further messages and state changes sent in that room from the vulnerable homeserver to be rejected. This issue has been patched in version 1.68.0\n\n"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-05-26T13:44:44.113Z"}}}, "cveMetadata": {"cveId": "CVE-2022-39374", "state": "PUBLISHED", "dateUpdated": "2025-01-15T15:34:02.534Z", "dateReserved": "2022-09-02T14:16:35.887Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2023-05-26T13:44:44.113Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:matrix:synapse:*:*:*:*:*:*:*:*", "matchCriteriaId": "0E4819D4-BB7E-4494-B77D-FC6BD5848FE6", "versionEndExcluding": "1.68.0", "versionStartIncluding": "1.62.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. If Synapse and a malicious homeserver are both joined to the same room, the malicious homeserver can trick Synapse into accepting previously rejected events into its view of the current state of that room. This can be exploited in a way that causes all further messages and state changes sent in that room from the vulnerable homeserver to be rejected. This issue has been patched in version 1.68.0"}, {"lang": "es", "value": "Synapse es un servidor dom\u00e9stico Matrix de c\u00f3digo abierto escrito y mantenido por la Fundaci\u00f3n Matrix.org. Si Synapse y un servidor dom\u00e9stico malicioso est\u00e1n unidos a la misma habitaci\u00f3n, el servidor dom\u00e9stico malicioso puede enga\u00f1ar a Synapse para que acepte eventos previamente rechazados en su vista del estado actual de esa sala. Esto se puede explotar de una manera que haga que todos los mensajes adicionales y los cambios de estado enviados en esa habitaci\u00f3n desde el servidor dom\u00e9stico vulnerable sean rechazados. Este problema se ha corregido en la versi\u00f3n 1.68.0 "}], "id": "CVE-2022-39374", "lastModified": "2025-02-13T17:15:42.717", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-05-26T14:15:10.257", "references": [{"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/matrix-org/synapse/pull/13723"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-p9qp-c452-f9r7"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJIJRP5ZH6B3KGFLHCAKR2IX2Y4Z25QD/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/matrix-org/synapse/pull/13723"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-p9qp-c452-f9r7"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJIJRP5ZH6B3KGFLHCAKR2IX2Y4Z25QD/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-400"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{}