CVE-2023-43796
Severity CVSS v4.0:
Pending analysis
Type:
CWE-200
Information Leak / Disclosure
Publication date:
31/10/2023
Last modified:
13/02/2025
Description
Synapse is an open-source Matrix homeserver Prior to versions 1.95.1 and 1.96.0rc1, cached device information of remote users can be queried from Synapse. This can be used to enumerate the remote users known to a homeserver. System administrators are encouraged to upgrade to Synapse 1.95.1 or 1.96.0rc1 to receive a patch. As a workaround, the `federation_domain_whitelist` can be used to limit federation traffic with a homeserver.
Impact
Base Score 3.x
5.30
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:matrix:synapse:*:*:*:*:*:*:*:* | 1.95.1 (excluding) | |
| cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:* | ||
| cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://github.com/matrix-org/synapse/commit/daec55e1fe120c564240c5386e77941372bf458f
- https://github.com/matrix-org/synapse/security/advisories/GHSA-mp92-3jfm-3575
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2IDEEZMFJBDLTFHQUTZRJJNCOZGQ2ZVS/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VH3RNC5ZPQZ4OKPSL4E6BBJSZOQLGDEY/
- https://security.gentoo.org/glsa/202401-12
- https://github.com/matrix-org/synapse/commit/daec55e1fe120c564240c5386e77941372bf458f
- https://github.com/matrix-org/synapse/security/advisories/GHSA-mp92-3jfm-3575
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2IDEEZMFJBDLTFHQUTZRJJNCOZGQ2ZVS/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VH3RNC5ZPQZ4OKPSL4E6BBJSZOQLGDEY/
- https://security.gentoo.org/glsa/202401-12