{"id":"GHSA-cppw-2mf8-qpm5","summary":"Improper Verification of Cryptographic Signature in matrix-synapse","details":"Matrix Synapse before 1.5.0 mishandles signature checking on some federation APIs. Events sent over `/send_join`, `/send_leave`, and `/invite` may not be correctly signed, or may not come from the expected servers.","aliases":["CVE-2019-18835","PYSEC-2019-186"],"modified":"2025-02-15T05:31:32.881343Z","published":"2022-05-24T22:01:05Z","database_specific":{"severity":"HIGH","github_reviewed":true,"cwe_ids":["CWE-347"],"github_reviewed_at":"2022-09-19T19:32:08Z","nvd_published_at":"2019-11-08T00:15:00Z"},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-18835"},{"type":"WEB","url":"https://github.com/matrix-org/synapse/pull/6262"},{"type":"WEB","url":"https://github.com/matrix-org/synapse/commit/172f264ed38e8bef857552f93114b4ee113a880b"},{"type":"PACKAGE","url":"https://github.com/matrix-org/synapse"},{"type":"WEB","url":"https://github.com/matrix-org/synapse/releases/tag/v1.5.0"},{"type":"WEB","url":"https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2019-186.yaml"}],"affected":[{"package":{"name":"matrix-synapse","ecosystem":"PyPI","purl":"pkg:pypi/matrix-synapse"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.5.0"}]}],"versions":["0.33.5","0.33.5.1","0.33.6","0.33.6rc1","0.33.7","0.33.7rc1","0.33.7rc2","0.33.8","0.33.8rc2","0.33.9","0.34.0","0.34.0.1","0.34.0rc1","0.34.0rc2","0.34.1.1","0.99.0","0.99.0rc1","0.99.0rc2","0.99.0rc3","0.99.0rc4","0.99.1","0.99.1.1","0.99.1rc1","0.99.1rc2","0.99.2","0.99.2rc1","0.99.3","0.99.3.1","0.99.3.2","0.99.3rc1","0.99.4","0.99.4rc1","0.99.5","0.99.5.1","0.99.5.2","0.99.5rc1","1.0.0","1.0.0rc1","1.0.0rc2","1.0.0rc3","1.1.0","1.1.0rc1","1.1.0rc2","1.2.0","1.2.0rc1","1.2.0rc2","1.2.1","1.3.0","1.3.0rc1","1.3.1","1.4.0","1.4.0rc1","1.4.0rc2","1.4.1","1.4.1rc1","1.5.0rc1","1.5.0rc2"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-cppw-2mf8-qpm5/GHSA-cppw-2mf8-qpm5.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N"}]}