5.3

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2023-43796

GHSA ID

GHSA-mp92-3jfm-3575

EPSS Score

0.3866%

CWE

CWE-200

Published

10/31/2023

Updated

2/13/2025

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-43796

CVE-2023-43796: Synapse vulnerable to leak of remote user device information

Impact

Cached device information of remote users can be queried from Synapse. This can be used to enumerate the remote users known to a homeserver.

Patches

System administrators are encouraged to upgrade to Synapse 1.95.1 as soon as possible.

Workarounds

The federation_domain_whitelist can be used to limit federation traffic with a homeserver.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2023-43796

CVE-2023-43796:

5.3

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2023-43796

GHSA ID

GHSA-mp92-3jfm-3575

EPSS Score

0.3866%

CWE

CWE-200

Published

10/31/2023

Updated

2/13/2025

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
matrix-synapse	pip	< 1.95.1	1.95.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from missing user ownership checks in federation request handlers. The commit patches explicitly add UserID validation using hs.is_mine() in these three functions to prevent querying device information for remote users. The functions handle federation API endpoints for device/key management and were vulnerable because they previously processed requests without verifying if the target user belonged to the local homeserver, enabling information leakage about remote users.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2023-43796: Synapse vulnerable to leak of remote user device information

Impact

Patches

Workarounds

CVE-2023-43796:

5.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2023-43796: Synapse vulnerable to leak of remote user device information

Impact

Patches

Workarounds

Basic Information

Basic Information

Technical Details

5.3

5.3

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI