CVE-2023-42453

CVE-2023-42453

Name

CVE-2023-42453

Description

Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. Users were able to forge read receipts for any event (if they knew the room ID and event ID). Note that the users were not able to view the events, but simply mark it as read. This could be confusing as clients will show the event as read by the user, even if they are not in the room. This issue has been patched in version 1.93.0. Users are advised to upgrade. There are no known workarounds for this issue.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
MISC	https://github.com/matrix-org/synapse/security/advisories/GHSA-7565-cq32-vx2x
MISC	https://github.com/matrix-org/synapse/pull/16327
Mailing List	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/65QPC55I4D27HIZP7H2NQ34EOXHPP4AO/
Mailing List	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AFB2Y3S2VCPCN5P2XCZTG24MBMZ7DM4/
MISC	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N6P4QULVUE254WI7XF2LWWOGHCYVFXFY/
security-advisories@github.com	https://security.gentoo.org/glsa/202401-12

Type

URI

MISC

https://github.com/matrix-org/synapse/security/advisories/GHSA-7565-cq32-vx2x

MISC

https://github.com/matrix-org/synapse/pull/16327

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/65QPC55I4D27HIZP7H2NQ34EOXHPP4AO/

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AFB2Y3S2VCPCN5P2XCZTG24MBMZ7DM4/

MISC

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N6P4QULVUE254WI7XF2LWWOGHCYVFXFY/

security-advisories@github.com

https://security.gentoo.org/glsa/202401-12

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:matrix:synapse::::::::`	synapse	>= 1.34.0	< 1.93.0

CPE URI

Source package

Min version

Max version

cpe:2.3:a:matrix:synapse:*:*:*:*:*:*:*:*

synapse

>= 1.34.0

< 1.93.0

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
synapse	edge-community	1.93.0-r0	6543 <6543@obermui.de>	fixed
synapse	edge-community	1.85.1-r0	6543 <6543@obermui.de>	possibly vulnerable
synapse	edge-community	1.74.0-r0	6543 <6543@obermui.de>	possibly vulnerable
synapse	edge-community	1.69.0-r0	None	possibly vulnerable
synapse	edge-community	1.68.0-r0	None	possibly vulnerable
synapse	edge-community	1.61.1-r0	6543 <6543@obermui.de>	possibly vulnerable
synapse	edge-community	1.47.1-r0	Leo <thinkabit.ukim@gmail.com>	possibly vulnerable
synapse	edge-community	1.41.1-r0	Leo <thinkabit.ukim@gmail.com>	possibly vulnerable
synapse	3.22-community	1.93.0-r0	None	fixed
synapse	3.22-community	1.85.1-r0	None	possibly vulnerable
synapse	3.22-community	1.74.0-r0	None	possibly vulnerable
synapse	3.22-community	1.69.0-r0	None	possibly vulnerable
synapse	3.22-community	1.68.0-r0	None	possibly vulnerable
synapse	3.22-community	1.61.1-r0	None	possibly vulnerable
synapse	3.22-community	1.47.1-r0	None	possibly vulnerable
synapse	3.22-community	1.41.1-r0	None	possibly vulnerable
synapse	3.21-community	1.93.0-r0	None	fixed
synapse	3.20-community	1.93.0-r0	None	fixed
synapse	3.19-community	1.93.0-r0	None	fixed
synapse	3.18-community	1.93.0-r0	6543 <6543@obermui.de>	fixed

Source package

Branch

Version

Maintainer

Status

References

Match rules

Vulnerable and fixed packages