CVE-2023-43796

CVSS V2 None CVSS V3 None

Description

Synapse is an open-source Matrix homeserver Prior to versions 1.95.1 and 1.96.0rc1, cached device information of remote users can be queried from Synapse. This can be used to enumerate the remote users known to a homeserver. System administrators are encouraged to upgrade to Synapse 1.95.1 or 1.96.0rc1 to receive a patch. As a workaround, the `federation_domain_whitelist` can be used to limit federation traffic with a homeserver.

Overview

CVE ID
CVE-2023-43796

Assigner
GitHub_M

Vulnerability Status
PUBLISHED

Published Version
2023-10-31T16:52:48.505Z

Last Modified Date
2023-10-31T16:52:48.505Z

Weakness Enumerations

CWE	URL
CWE-200	http://cwe.mitre.org/data/definitions/200.html

References

Reference URL	Reference Tags
https://github.com/matrix-org/synapse/security/advisories/GHSA-mp92-3jfm-3575	x_refsource_CONFIRM
https://github.com/matrix-org/synapse/commit/daec55e1fe120c564240c5386e77941372bf458f	x_refsource_MISC
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VH3RNC5ZPQZ4OKPSL4E6BBJSZOQLGDEY/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2IDEEZMFJBDLTFHQUTZRJJNCOZGQ2ZVS/
https://security.gentoo.org/glsa/202401-12

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2023-43796
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43796

History

Created	Old Value	New Value	Data Type	Notes
2024-06-25 15:38:01				Added to TrackCVE