Bug 1211783 (CVE-2022-39374)

Summary: VUL-0: CVE-2022-39374: matrix-synapse: Synapse Denial of service due to incorrect application of event authorization rules during state resolution
Product: [Novell Products] SUSE Security Incidents Reporter: Stoyan Manolov <stoyan.manolov>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/367458/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Stoyan Manolov 2023-05-29 02:59:10 UTC 
CVE-2022-39374

Synapse is an open-source Matrix homeserver written and maintained by the
Matrix.org Foundation. If Synapse and a malicious homeserver are both joined to
the same room, the malicious homeserver can trick Synapse into accepting
previously rejected events into its view of the current state of that room. This
can be exploited in a way that causes all further messages and state changes
sent in that room from the vulnerable homeserver to be rejected. This issue has
been patched in version 1.68.0



References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-39374
https://bugzilla.redhat.com/show_bug.cgi?id=2209956
https://www.cve.org/CVERecord?id=CVE-2022-39374
https://github.com/matrix-org/synapse/pull/13723
https://github.com/matrix-org/synapse/security/advisories/GHSA-p9qp-c452-f9r7
Comment 1 Stoyan Manolov 2023-05-29 02:59:27 UTC 
Fixed version >= v1.68.0.

SUSE:Factory/matrix-synapse ships version v1.77.0, so nothing to do here. Closing