CVE-2022-39200
Last modified
CVE-2022-39200 is a medium-severity vulnerability rated 5.3/10 on the CVSS scale. Dendrite is a Matrix homeserver written in Go. In affected versions events retrieved from a remote homeserver using the `/get_missing_events` path did not have their signatures verified correctly. EPSS estimates a 0.30% chance of exploitation in the next 30 days.
Description
Dendrite is a Matrix homeserver written in Go. In affected versions events retrieved from a remote homeserver using the `/get_missing_events` path did not have their signatures verified correctly. This could potentially allow a remote homeserver to provide invalid/modified events to Dendrite via this endpoint. Note that this does not apply to events retrieved through other endpoints (e.g. `/event`, `/state`) as they have been correctly verified. Homeservers that have federation disabled are not vulnerable. The problem has been fixed in Dendrite 0.9.8. Users are advised to upgrade. There are no known workarounds for this issue.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Matrix | Dendrite | < 0.9.8 |
References
- https://github.com/matrix-org/dendrite/commit/2792d0490f3771488bad346981b8c26479a872c3Patch, Third Party Advisory
- https://github.com/matrix-org/dendrite/security/advisories/GHSA-pfw4-xjgm-267cThird Party Advisory
- https://github.com/matrix-org/dendrite/commit/2792d0490f3771488bad346981b8c26479a872c3Patch, Third Party Advisory
- https://github.com/matrix-org/dendrite/security/advisories/GHSA-pfw4-xjgm-267cThird Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2022-39200?
How severe is CVE-2022-39200?
How do I fix CVE-2022-39200?
Are you affected by CVE-2022-39200?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST