7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-31152

GHSA ID

GHSA-jhjh-776m-4765

EPSS Score

0.36388%

CWE

CWE-703

Published

8/31/2022

Updated

9/30/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-31152

CVE-2022-31152:
Denial of service due to incorrect application of event authorization rules

Impact

The Matrix specification specifies a list of event authorization rules which must be checked when determining if an event should be accepted into a room.

In versions of Synapse up to and including v1.61, some of these rules are not correctly applied. An attacker could craft events which would be accepted by Synapse but not a spec-conformant server, potentially causing divergence in the room state between servers.

Patches

Administrators of homeservers with federation enabled are advised to upgrade to v1.62.0 or higher.

Workarounds

Federation can be disabled by setting federation_domain_whitelist to an empty list ([]).

References

https://github.com/matrix-org/synapse/pull/13087
https://github.com/matrix-org/synapse/pull/13088

For more information

If you have any questions or comments about this advisory, e-mail us at security@matrix.org.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-31152

GHSA ID

GHSA-jhjh-776m-4765

EPSS Score

0.36388%

CWE

CWE-703

Published

8/31/2022

Updated

9/30/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
matrix-synapse	pip	< 1.62.0rc1	1.62.0rc1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing checks in the event authorization flow. The patch in commit d4b1c0d adds critical validation for: 1) duplicate auth_events entries (CWE-703), and 2) auth_events not matching expected types (CWE-755). The modified function check_state_independent_auth_rules in synapse/event_auth.py lacked these checks in vulnerable versions, as shown by the added validation logic and corresponding test cases in the diff. This directly matches the described vulnerability where invalid events could be accepted.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T** M*trix sp**i*i**tion sp**i*i*s * list o* [*v*nt *ut*oriz*tion rul*s](*ttps://sp**.m*trix.or*/v*.*/rooms/v**/#*ut*oriz*tion-rul*s) w*i** must ** ****k** w**n **t*rminin* i* *n *v*nt s*oul* ** ****pt** into * room. In v*rsions o* Syn*p

Reasoning

T** vuln*r**ility st*ms *rom missin* ****ks in t** *v*nt *ut*oriz*tion *low. T** p*t** in *ommit ******* ***s *riti**l v*li**tion *or: *) *upli**t* *ut*_*v*nts *ntri*s (*W*-***), *n* *) *ut*_*v*nts not m*t**in* *xp**t** typ*s (*W*-***). T** mo*i*i**

7.5

Basic Information

Concerned about an active attack path?

CVE-2022-31152: Denial of service due to incorrect application of event authorization rules

Impact

Patches

Workarounds

References

For more information

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2022-31152:
Denial of service due to incorrect application of event authorization rules

Vulnerability Intelligence
Miggo AI