{"id":"PYSEC-2019-186","details":"Matrix Synapse before 1.5.0 mishandles signature checking on some federation APIs. Events sent over /send_join, /send_leave, and /invite may not be correctly signed, or may not come from the expected servers.","aliases":["CVE-2019-18835","GHSA-cppw-2mf8-qpm5"],"modified":"2023-11-08T04:01:26.391997Z","published":"2019-11-08T00:15:00Z","references":[{"type":"WEB","url":"https://github.com/matrix-org/synapse/releases/tag/v1.5.0"},{"type":"WEB","url":"https://github.com/matrix-org/synapse/pull/6262"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-cppw-2mf8-qpm5"}],"affected":[{"package":{"name":"matrix-synapse","ecosystem":"PyPI","purl":"pkg:pypi/matrix-synapse"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.5.0"}]}],"versions":["0.33.5","0.33.5.1","0.33.6","0.33.6rc1","0.33.7","0.33.7rc1","0.33.7rc2","0.33.8","0.33.8rc2","0.33.9","0.34.0","0.34.0.1","0.34.0rc1","0.34.0rc2","0.34.1.1","0.99.0","0.99.0rc1","0.99.0rc2","0.99.0rc3","0.99.0rc4","0.99.1","0.99.1.1","0.99.1rc1","0.99.1rc2","0.99.2","0.99.2rc1","0.99.3","0.99.3.1","0.99.3.2","0.99.3rc1","0.99.4","0.99.4rc1","0.99.5","0.99.5.1","0.99.5.2","0.99.5rc1","1.0.0","1.0.0rc1","1.0.0rc2","1.0.0rc3","1.1.0","1.1.0rc1","1.1.0rc2","1.2.0","1.2.0rc1","1.2.0rc2","1.2.1","1.3.0","1.3.0rc1","1.3.1","1.4.0","1.4.0rc1","1.4.0rc2","1.4.1","1.4.1rc1","1.5.0rc1","1.5.0rc2"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/matrix-synapse/PYSEC-2019-186.yaml"}}],"schema_version":"1.7.3"}