Vulnerabilities > Matrix

DATE CVE VULNERABILITY TITLE RISK
2019-11-08 CVE-2019-18835 Insufficient Verification of Data Authenticity vulnerability in Matrix Synapse
Matrix Synapse before 1.5.0 mishandles signature checking on some federation APIs.
network
low complexity
matrix CWE-345
critical
9.8
2019-05-09 CVE-2019-11842 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Matrix Sydent and Synapse
An issue was discovered in Matrix Sydent before 1.0.3 and Synapse before 0.99.3.1.
network
low complexity
matrix CWE-338
7.5
2019-04-19 CVE-2019-11340 Improper Input Validation vulnerability in Matrix Sydent 1.0.0/1.0.1
util/emailutils.py in Matrix Sydent before 1.0.2 mishandles registration restrictions that are based on e-mail domain, if the allowed_local_3pids option is enabled.
network
high complexity
matrix CWE-20
5.9
2019-03-21 CVE-2019-5885 Use of Insufficiently Random Values vulnerability in multiple products
Matrix Synapse before 0.34.0.1, when the macaroon_secret_key authentication parameter is not set, uses a predictable value to derive a secret key and other secrets which could allow remote attackers to impersonate users.
network
low complexity
matrix fedoraproject CWE-330
7.5
2018-09-18 CVE-2018-16515 Improper Verification of Cryptographic Signature vulnerability in multiple products
Matrix Synapse before 0.33.3.1 allows remote attackers to spoof events and possibly have unspecified other impacts by leveraging improper transaction and event signature validation.
network
low complexity
matrix debian CWE-347
8.8
2018-06-14 CVE-2018-12423 Unspecified vulnerability in Matrix Synapse
In Synapse before 0.31.2, unauthorised users can hijack rooms when there is no m.room.power_levels event in force.
network
low complexity
matrix
7.5
2018-06-13 CVE-2018-12291 Unspecified vulnerability in Matrix Synapse
The on_get_missing_events function in handlers/federation.py in Matrix Synapse before 0.31.1 has a security bug in the get_missing_events federation API where event visibility rules were not applied correctly.
network
low complexity
matrix
7.5
2018-05-02 CVE-2018-10657 Improper Input Validation vulnerability in Matrix Synapse
Matrix Synapse before 0.28.1 is prone to a denial of service flaw where malicious events injected with depth = 2^63 - 1 render rooms unusable, related to federation/federation_base.py and handlers/message.py, as exploited in the wild in April 2018.
network
low complexity
matrix CWE-20
7.5