Bug 1216770 (CVE-2023-43796) - VUL-0: CVE-2023-43796: matrix-synapse: Cached device information of remote users can be queried from Synapse. This can be used to enumerate the remote users known to a homeserver.
Summary: VUL-0: CVE-2023-43796: matrix-synapse: Cached device information of remote us...
Status: VERIFIED FIXED
Alias: CVE-2023-43796
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Security (show other bugs)
Version: Current
Hardware: Other Other
: P3 - Medium : Normal (vote)
Target Milestone: ---
Assignee: Oliver Kurz
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/383724/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-11-01 05:22 UTC by SMASH SMASH
Modified: 2023-11-05 10:03 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2023-11-01 05:22:04 UTC 
Synapse is an open-source Matrix homeserver Prior to versions 1.95.1 and
1.96.0rc1, cached device information of remote users can be queried from
Synapse. This can be used to enumerate the remote users known to a homeserver.
System administrators are encouraged to upgrade to Synapse 1.95.1 or 1.96.0rc1
to receive a patch. As a workaround, the `federation_domain_whitelist` can be
used to limit federation traffic with a homeserver.


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-43796
Comment 3 Marcus Rückert 2023-11-03 12:01:00 UTC 
this is already submitted to the devel project and factory. my branch is already on rc1 for the next major release.
Comment 4 Oliver Kurz 2023-11-05 10:03:34 UTC 
Right, fixed with https://build.opensuse.org/request/show/1122657
Comment 5 Oliver Kurz 2023-11-05 10:03:42 UTC 
https://build.opensuse.org/request/show/1122657