#VU77060 Improper access control in Synapse - CVE-2023-32682


| Updated: 2023-06-08

Vulnerability identifier: #VU77060

Vulnerability risk: Low

CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-32682

CWE-ID: CWE-284

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Synapse
Server applications / Conferencing, Collaboration and VoIP solutions

Vendor: Matrix.org

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper checks for deactivated users during login. A remote user can login when using uncommon configurations.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Synapse: 1.0.0 - 1.84.1

External links
https://github.com/matrix-org/synapse/security/advisories/GHSA-26c5-ppr8-f33p
https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#password_config
https://github.com/matrix-org/synapse/pull/15624
https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html#create-or-modify-account
https://matrix-org.github.io/synapse/latest/jwt.html
https://github.com/matrix-org/synapse/pull/15634
https://github.com/matrix-org/synapse/releases/tag/v1.85.0

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Fedora 38 update for matrix-synapse
Fedora 38 update for matrix-synapse
Fedora 38 update for matrix-synapse
Multiple vulnerabilities in Matrix Synapse