admin/cvelist
1
0
Fork 0
mirror of https://github.com/CVEProject/cvelist.git synced 2025-08-04 08:44:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Auto-merge PR#255

Browse Source 
Auto-merge PR#255
This commit is contained in:
CVE Team 2020-12-09 13:25:20 -05:00 committed by GitHub
commit ac48adf58a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 94 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

100
2020/26xxx/CVE-2020-26257.json
View File

@ -1,18 +1,106 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-26257",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"STATE": "PUBLIC",
"TITLE": "Denial of service attack via incorrect parameters to federation APIs"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "synapse",
"version": {
"version_data": [
{
"version_value": "< 1.23.1"
}
]
}
}
]
},
"vendor_name": "matrix-org"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "Matrix is an ecosystem for open federated Instant Messaging and VoIP. Synapse is a reference \"homeserver\" implementation of Matrix. \n\nA malicious or poorly-implemented homeserver can inject malformed events into a room by specifying a different room id in the path of a `/send_join`, `/send_leave`, `/invite` or `/exchange_third_party_invite` request. This can lead to a denial of service in which future events will not be correctly sent to other servers over federation. This affects any server which accepts federation requests from untrusted servers.\n\nThe Matrix Synapse reference implementation before version 1.23.1 the implementation is vulnerable to this injection attack.\n\nIssue is fixed in version 1.23.1.\n\nAs a workaround homeserver administrators could limit access to the federation API to trusted servers (for example via `federation_domain_whitelist`)."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400 Uncontrolled Resource Consumption"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/matrix-org/synapse/security/advisories/GHSA-hxmp-pqch-c8mm",
"refsource": "CONFIRM",
"url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-hxmp-pqch-c8mm"
},
{
"name": "https://github.com/matrix-org/synapse/pull/8776",
"refsource": "MISC",
"url": "https://github.com/matrix-org/synapse/pull/8776"
},
{
"name": "https://github.com/matrix-org/synapse/commit/3ce2f303f15f6ac3dc352298972dc6e04d9b7a8b",
"refsource": "MISC",
"url": "https://github.com/matrix-org/synapse/commit/3ce2f303f15f6ac3dc352298972dc6e04d9b7a8b"
},
{
"name": "https://github.com/matrix-org/synapse/blob/develop/CHANGES.md#synapse-1231-2020-12-09",
"refsource": "MISC",
"url": "https://github.com/matrix-org/synapse/blob/develop/CHANGES.md#synapse-1231-2020-12-09"
}
]
},
"source": {
"advisory": "GHSA-hxmp-pqch-c8mm",
"discovery": "UNKNOWN"
}
}