CVE-2023-32682

Name
CVE-2023-32682
Description
Synapse is a Matrix protocol homeserver written in Python with the Twisted framework. In affected versions it may be possible for a deactivated user to login when using uncommon configurations. This only applies if any of the following are true: 1. JSON Web Tokens are enabled for login via the `jwt_config.enabled` configuration setting. 2. The local password database is enabled via the `password_config.enabled` and `password_config.localdb_enabled` configuration settings *and* a user's password is updated via an admin API after a user is deactivated. Note that the local password database is enabled by default, but it is uncommon to set a user's password after they've been deactivated. Installations that are configured to only allow login via Single Sign-On (SSO) via CAS, SAML or OpenID Connect (OIDC); or via an external password provider (e.g. LDAP) are not affected. If not using JSON Web Tokens, ensure that deactivated users do not have a password set. This issue has been addressed in version 1.85.0. Users are advised to upgrade.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://github.com/matrix-org/synapse/security/advisories/GHSA-26c5-ppr8-f33p
MISC https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#password_config
MISC https://github.com/matrix-org/synapse/pull/15624
MISC https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html#create-or-modify-account
MISC https://matrix-org.github.io/synapse/latest/jwt.html
MISC https://github.com/matrix-org/synapse/pull/15634
MISC https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6DH5A5YEB5LRIPP32OUW25FCGZFCZU2/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:matrix:synapse:*:*:*:*:*:*:*:* synapse >= None < 1.85.0

Vulnerable and fixed packages

Source package Branch Version Maintainer Status