{"id":"PYSEC-2019-187","details":"Matrix Synapse before 0.34.0.1, when the macaroon_secret_key authentication parameter is not set, uses a predictable value to derive a secret key and other secrets which could allow remote attackers to impersonate users.","aliases":["CVE-2019-5885","GHSA-jrqm-v8cv-53ww"],"modified":"2023-11-08T04:01:37.385415Z","published":"2019-03-21T16:01:00Z","references":[{"type":"ARTICLE","url":"https://matrix.org/blog/2019/01/15/further-details-on-critical-security-update-in-synapse-affecting-all-versions-prior-to-0-34-1-cve-2019-5885/"},{"type":"ARTICLE","url":"https://matrix.org/blog/2019/01/10/critical-security-update-synapse-0-34-0-1-synapse-0-34-1-1/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VMCLO5PUPBA756UKY72PKUWL4RRM4W6K/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/32Y6KD3OAHCG5P33HC2QEX3NUZOSXCGZ/"}],"affected":[{"package":{"name":"matrix-synapse","ecosystem":"PyPI","purl":"pkg:pypi/matrix-synapse"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.34.0.1"}]}],"versions":["0.33.5","0.33.5.1","0.33.6","0.33.6rc1","0.33.7","0.33.7rc1","0.33.7rc2","0.33.8","0.33.8rc2","0.33.9","0.34.0","0.34.0rc1","0.34.0rc2"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/matrix-synapse/PYSEC-2019-187.yaml"}}],"schema_version":"1.7.3"}