CVE-2023-42453

low-risk
Published 2023-09-27

Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. Users were able to forge read receipts for any event (if they knew the room ID and event ID). Note that the users were not able to view the events, but simply mark it as read. This could be confusing as clients will show the event as read by the user, even if they are not in the room. This issue has been patched in version 1.93.0. Users are advised to upgrade. There are no known workarounds for this issue.

Do I need to act?

-
0.22% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
3
CVSS 3.1/10 Low
NETWORK / HIGH complexity

Affected Products (3)

Affected Vendors

Fedoraproject Matrix

References (12)

Issue Tracking https://github.com/matrix-org/synapse/pull/16327
Vendor Advisory https://github.com/matrix-org/synapse/security/advisories/GHSA-7565-cq32-vx2x
Mailing List https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproje...
Mailing List https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproje...
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproje...
https://security.gentoo.org/glsa/202401-12
Issue Tracking https://github.com/matrix-org/synapse/pull/16327
Vendor Advisory https://github.com/matrix-org/synapse/security/advisories/GHSA-7565-cq32-vx2x
Mailing List https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproje...
Mailing List https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproje...
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproje...
https://security.gentoo.org/glsa/202401-12
21
/ 100
low-risk
Severity 11/34 · Low
Exploitability 1/34 · Minimal
Exposure 9/34 · Low