{ "schema_version": "1.4.0", "id": "GHSA-pfw4-xjgm-267c", "modified": "2022-09-15T03:28:01Z", "published": "2022-09-15T03:28:01Z", "aliases": [ "CVE-2022-39200" ], "summary": "Dendrite signature checks not applied to some retrieved missing events", "details": "### Impact\n\nEvents retrieved from a remote homeserver using `/get_missing_events` did not have their signatures verified correctly. This could potentially allow a remote homeserver to provide invalid/modified events to Dendrite via this endpoint.\n\nNote that this does not apply to events retrieved through other endpoints (e.g. `/event`, `/state`) as they have been correctly verified.\n\nHomeservers that have federation disabled are not vulnerable.\n\n### Patches\n\nThe problem has been fixed in Dendrite 0.9.8.\n\n### Workarounds\n\nThere are no workarounds.\n\n### Special thanks\n\nTulir Asokan, who spotted the issue originally.", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" } ], "affected": [ { "package": { "ecosystem": "Go", "name": "github.com/matrix-org/dendrite" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "0.9.8" } ] } ] } ], "references": [ { "type": "WEB", "url": "https://github.com/matrix-org/dendrite/security/advisories/GHSA-pfw4-xjgm-267c" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39200" }, { "type": "WEB", "url": "https://github.com/matrix-org/dendrite/commit/2792d0490f3771488bad346981b8c26479a872c3" }, { "type": "PACKAGE", "url": "https://github.com/matrix-org/dendrite" } ], "database_specific": { "cwe_ids": [ "CWE-347" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2022-09-15T03:28:01Z", "nvd_published_at": "2022-09-12T20:15:00Z" } }