Skip to main content

Synapse CVE-2023-41335

LOW
Cleartext Storage of Sensitive Information (CWE-312)
2023-09-27 security-advisories@github.com
3.7
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.7 LOW
AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Sep 27, 2023 - 15:19 nvd
LOW 3.7

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 pypi packages depend on matrix-synapse (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 1.66.0.

DescriptionNVD

Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. When users update their passwords, the new credentials may be briefly held in the server database. While this doesn't grant the server any added capabilities-it already learns the users' passwords as part of the authentication process-it does disrupt the expectation that passwords won't be stored in the database. As a result, these passwords could inadvertently be captured in database backups for a longer duration. These temporarily stored passwords are automatically erased after a 48-hour window. This issue has been addressed in version 1.93.0. Users are advised to upgrade. There are no known workarounds for this issue.

AnalysisAI

Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable.

Technical ContextAI

This vulnerability is classified under CWE-312. Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. When users update their passwords, the new credentials may be briefly held in the server database. While this doesn't grant the server any added capabilities-it already learns the users' passwords as part of the authentication process-it does disrupt the expectation that passwords won't be stored in the database. As a result, these passwords could inadvertently be captured in database backups for a longer duration. These temporarily stored passwords are automatically erased after a 48-hour window. This issue has been addressed in version 1.93.0. Users are advised to upgrade. There are no known workarounds for this issue. Affected products include: Matrix Synapse, Fedoraproject Fedora. Version information: version 1.93.0..

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2017-9769 CRITICAL POC
9.8 Aug 02

A specially crafted IOCTL can be issued to the rzpnk.sys driver in Razer Synapse 2.20.15.1104 that is forwarded to ZwOpe

CVE-2017-15708 CRITICAL
9.8 Dec 11

In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). Rated critical seve

CVE-2019-18835 CRITICAL
9.8 Nov 08

Matrix Synapse before 1.5.0 mishandles signature checking on some federation APIs. Rated critical severity (CVSS 9.8), t

CVE-2021-30494 MEDIUM POC
5.5 Apr 14

Multiple system services installed alongside the Razer Synapse 3 software suite perform privileged operations on entries

CVE-2021-30493 MEDIUM POC
5.5 Apr 14

Multiple system services installed alongside the Razer Synapse 3 software suite perform privileged operations on entries

CVE-2018-16515 HIGH
8.8 Sep 18

Matrix Synapse before 0.33.3.1 allows remote attackers to spoof events and possibly have unspecified other impacts by le

CVE-2025-30355 HIGH
7.1 Mar 27

Synapse is an open source Matrix homeserver implementation. Rated high severity (CVSS 7.1), this vulnerability is remote

CVE-2017-11652 HIGH
8.4 Aug 18

Razer Synapse 2.20.15.1104 and earlier uses weak permissions for the CrashReporter directory, which allows local users t

CVE-2023-32323 MEDIUM POC
4.3 May 26

Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. Rated medium severity (

CVE-2021-21332 HIGH
8.2 Mar 26

Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Rated high severity (CVSS 8.2)

CVE-2017-14398 HIGH
7.8 Sep 13

rzpnk.sys in Razer Synapse 2.20.15.1104 allows local users to read and write to arbitrary memory locations, and conseque

CVE-2017-11653 HIGH
7.8 Aug 18

Razer Synapse 2.20.15.1104 and earlier uses weak permissions for the Devices directory, which allows local users to gain

Share

CVE-2023-41335 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy