CVE-2023-43796 MEDIUM

CVE-2023-43796: Synapse vulnerable to leak of remote user device information

Vendor Matrix-Org

Product synapse

Weakness CWE-200 · Info exposure

Published October 31, 2023

Last update February 13, 2025

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality Low

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Synapse is an open-source Matrix homeserver Prior to versions 1.95.1 and 1.96.0rc1, cached device information of remote users can be queried from Synapse. This can be used to enumerate the remote users known to a homeserver. System administrators are encouraged to upgrade to Synapse 1.95.1 or 1.96.0rc1 to receive a patch. As a workaround, the `federation_domain_whitelist` can be used to limit federation traffic with a homeserver.

Key dates

02Disclosure timeline

October 31, 2023 CVE published

February 13, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-43796 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/200.html

Related vulnerabilities

04Related CVE

CVE-2022-2462 Transposh WordPress Translation <= 1.0.9.6 - Sensitive Information Disclosure CVE-2022-39212 Last video frame is still sent after video is disabled in a call in Nextcloud Talk CVE-2024-38756 WordPress Coming Soon Page – Responsive Coming Soon & Maintenance Mode plugin <= 1.6.3 - Sensitive Data Exposure vulnerability CVE-2023-22453 Discourse vulnerable to exposure of user post counts per topic to unauthorized users CVE-2022-1774 Exposure of Sensitive Information to an Unauthorized Actor in jgraph/drawio