Skip to main content

Synapse CVE-2023-42453

MEDIUM
Improper Authorization (CWE-285)
2023-09-27 security-advisories@github.com
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Sep 27, 2023 - 15:19 nvd
MEDIUM 4.3

DescriptionNVD

Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. Users were able to forge read receipts for any event (if they knew the room ID and event ID). Note that the users were not able to view the events, but simply mark it as read. This could be confusing as clients will show the event as read by the user, even if they are not in the room. This issue has been patched in version 1.93.0. Users are advised to upgrade. There are no known workarounds for this issue.

AnalysisAI

Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.

Technical ContextAI

This vulnerability is classified under CWE-285. Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. Users were able to forge read receipts for any event (if they knew the room ID and event ID). Note that the users were not able to view the events, but simply mark it as read. This could be confusing as clients will show the event as read by the user, even if they are not in the room. This issue has been patched in version 1.93.0. Users are advised to upgrade. There are no known workarounds for this issue. Affected products include: Matrix Synapse, Fedoraproject Fedora. Version information: version 1.93.0..

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2017-9769 CRITICAL POC
9.8 Aug 02

A specially crafted IOCTL can be issued to the rzpnk.sys driver in Razer Synapse 2.20.15.1104 that is forwarded to ZwOpe

CVE-2017-15708 CRITICAL
9.8 Dec 11

In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). Rated critical seve

CVE-2019-18835 CRITICAL
9.8 Nov 08

Matrix Synapse before 1.5.0 mishandles signature checking on some federation APIs. Rated critical severity (CVSS 9.8), t

CVE-2021-30494 MEDIUM POC
5.5 Apr 14

Multiple system services installed alongside the Razer Synapse 3 software suite perform privileged operations on entries

CVE-2021-30493 MEDIUM POC
5.5 Apr 14

Multiple system services installed alongside the Razer Synapse 3 software suite perform privileged operations on entries

CVE-2018-16515 HIGH
8.8 Sep 18

Matrix Synapse before 0.33.3.1 allows remote attackers to spoof events and possibly have unspecified other impacts by le

CVE-2025-30355 HIGH
7.1 Mar 27

Synapse is an open source Matrix homeserver implementation. Rated high severity (CVSS 7.1), this vulnerability is remote

CVE-2017-11652 HIGH
8.4 Aug 18

Razer Synapse 2.20.15.1104 and earlier uses weak permissions for the CrashReporter directory, which allows local users t

CVE-2023-32323 MEDIUM POC
4.3 May 26

Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. Rated medium severity (

CVE-2021-21332 HIGH
8.2 Mar 26

Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Rated high severity (CVSS 8.2)

CVE-2017-14398 HIGH
7.8 Sep 13

rzpnk.sys in Razer Synapse 2.20.15.1104 allows local users to read and write to arbitrary memory locations, and conseque

CVE-2017-11653 HIGH
7.8 Aug 18

Razer Synapse 2.20.15.1104 and earlier uses weak permissions for the Devices directory, which allows local users to gain

Share

CVE-2023-42453 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy