Miggo Logo
Miggo Vulnerability Database
CVE-2018-16515

CVE-2018-16515:
Matrix Synapse Improper Signature Validation

8.8

CVSS Score
3.0

Basic Information

CVE ID
CVE-2018-16515
GHSA ID
GHSA-fmvh-rvq5-hhjx
EPSS Score
0.67595%
CWE
CWE-347
Published
5/13/2022
Updated
10/6/2023
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
matrix-synapsepip>= 0.33.3, < 0.33.3.10.33.3.1
matrix-synapsepip< 0.33.2.10.33.2.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper validation of cryptographic signatures on events. The patch introduced in commit 5bf8bc7 adds validation for both the sender's server and the event_id domain's server. The pre-patch version of _check_sigs_and_hashes in federation_base.py only checked signatures from the event's origin server (via p.origin) and used a single verification step via keyring.verify_json_objects_for_server. The post-patch code splits this into multiple checks via _check_sigs_on_pdus, explicitly validating both event_id_domain and sender_domain signatures (except for 3pid invites). The lack of event_id domain validation in the original function directly matches the CWE-347 description and the vulnerability's root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

M*trix Syn*ps* ***or* *.**.*.* *n* *.**.*.* *llows r*mot* *tt**k*rs to spoo* *v*nts *n* possi*ly **v* unsp**i*i** ot**r imp**ts *y l*v*r**in* improp*r tr*ns**tion *n* *v*nt si*n*tur* v*li**tion.

Reasoning

T** vuln*r**ility st*ms *rom improp*r v*li**tion o* *rypto*r*p*i* si*n*tur*s on *v*nts. T** p*t** intro*u*** in *ommit ******* ***s v*li**tion *or *ot* t** s*n**r's s*rv*r *n* t** *v*nt_i* *om*in's s*rv*r. T** pr*-p*t** v*rsion o* _****k_si*s_*n*_**s