5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-36009

GHSA ID

GHSA-grvv-h2f9-7v9c

EPSS Score

0.45769%

CWE

CWE-863

Published

8/30/2022

Updated

2/9/2023

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-36009

CVE-2022-36009: gomatrixserverlib and Dendrite vulnerable to incorrect parsing of the event default power level in event auth

Impact

The power level parsing within gomatrixserverlib was failing to parse the "events_default" key of the m.room.power_levels event, defaulting the event default power level to zero in all cases.

In rooms where the "events_default" power level had been changed, this could result in events either being incorrectly authorised or rejected by Dendrite servers.

Patches

gomatrixserverlib contains a fix as of commit 723fd49 and Dendrite 0.9.3 has been updated accordingly.

Workarounds

Matrix rooms where the "events_default" power level has not been changed from the default of zero are not vulnerable.

For more information

If you have any questions or comments about this advisory, e-mail us at security@matrix.org.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2022-36009

CVE-2022-36009:

5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-36009

GHSA ID

GHSA-grvv-h2f9-7v9c

EPSS Score

0.45769%

CWE

CWE-863

Published

8/30/2022

Updated

2/9/2023

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/matrix-org/dendrite	go	< 0.9.3	0.9.3
github.com/matrix-org/gomatrixserverlib	go	< 0.0.0-20220815091947-723fd495dde8	0.0.0-20220815091947-723fd495dde8

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from incorrect JSON serialization in power level parsing. The commit diff shows the struct field was incorrectly tagged as 'event_default' instead of 'events_default'. Both NewPowerLevelContentFromEvent and NewPowerLevelContentFromAuthEvents would use this struct to unmarshal power level content, making them vulnerable. The Go vulnerability report (GO-2022-0952) explicitly lists these functions as affected symbols. The test case added in eventauth_test.go validates the fix for this parsing issue.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2022-36009: gomatrixserverlib and Dendrite vulnerable to incorrect parsing of the event default power level in event auth

Impact

Patches

Workarounds

For more information

CVE-2022-36009:

5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

5

5

Basic Information

Basic Information

CVE-2022-36009: gomatrixserverlib and Dendrite vulnerable to incorrect parsing of the event default power level in event auth

Impact

Patches

Workarounds

For more information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI