Improper Signature Handling in Matrix Synapse Federation APIs

Improper Signature Handling in Matrix Synapse Federation APIs

CVE-2019-18835 · CRITICAL Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Matrix Synapse before 1.5.0 mishandles signature checking on some federation APIs. Events sent over /send_join, /send_leave, and /invite may not be correctly signed, or may not come from the expected servers.

Learn more about our Cis Benchmark Audit For Server Software.