CVE-2018-16515 — Matrix Synapse Improper Signature Validation

Description

Matrix Synapse before 0.33.3.1 and 0.33.2.1 allows remote attackers to spoof events and possibly have unspecified other impacts by leveraging improper transaction and event signature validation.

How to fix CVE-2018-16515

To remediate CVE-2018-16515, upgrade the affected package to a fixed version below.

Debian/matrix-synapse—upgrade to 0.33.3.1-1 or later
—upgrade to 0.33.3.1 or later

Is CVE-2018-16515 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 0.33.3.1-1
>= 0.33.3, < 0.33.3.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References (10)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2018-16515
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2018-16515
PATCHgithub.com/matrix-org/synapse
WEBgithub.com/matrix-org/synapse/commit/5bf8bc79ebc22c61968f2eb487714813fccbdb9b