Bug 2209960 (CVE-2022-39335) - CVE-2022-39335 matrix-synapse: Synapse does not apply enough checks to servers requesting auth events of events in a room
Summary: CVE-2022-39335 matrix-synapse: Synapse does not apply enough checks to server...
Alias: CVE-2022-39335
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 2209961
TreeView+ depends on / blocked
Reported: 2023-05-25 10:37 UTC by Avinash Hanwate
Modified: 2023-05-25 15:41 UTC (History)
0 users

Fixed In Version: matrix-synapse 1.69.0
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2023-05-25 15:41:56 UTC

Attachments (Terms of Use)

Description Avinash Hanwate 2023-05-25 10:37:53 UTC
The Matrix Federation API allows remote homeservers to request the authorisation events of events in a room. This is necessary so that a homeserver receiving some events can validate that those events are legitimate and permitted in their room.
However, in versions of Synapse up to and including 1.68.0, a Synapse homeserver answering a query for authorisation events does not sufficiently check that the requesting server should be able to access them.

Authorisation events include power level events (the list of user IDs and their power levels at the time) and relevant membership events (including the display name of the sender of that event), as well as events like m.room.create, m.room.third_party_invite and m.room.join_rules. Non-authorisation events are unaffected, so it isn't possible to e.g. extract message contents this way.

This issue is only exploitable when a malicious actor knows the ID of a target room and the ID of an event from that room. In most cases, this makes exploitation infeasible. This issue is of negligible consequence for public rooms given that any server can easily join the room in order to be allowed to view authorisation events. Further, deployments in a closed federation where all homeservers are trustworthy are not affected.

Comment 1 Avinash Hanwate 2023-05-25 10:39:20 UTC
Created matrix-synapse tracking bugs for this issue:

Affects: fedora-all [bug 2209961]

Comment 2 Product Security DevOps Team 2023-05-25 15:41:54 UTC
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.

Note You need to log in before you can comment on or make changes to this bug.