VDB
CVE-2022-39200
CVE-2022-39200
PUBLISHED
CVSS 7.300000190734863 HIGH
Dendrite is a Matrix homeserver written in Go. In affected versions events retrieved from a remote homeserver using the `/get_missing_events` path did not have their signatures verified correctly. This could potentially allow a remote homeserver to provide invalid/modified events to Dendrite via this endpoint. Note that this does not apply to events retrieved through other endpoints (e.g. `/event`, `/state`) as they have been correctly verified. Homeservers that have federation disabled are not vulnerable. The problem has been fixed in Dendrite 0.9.8. Users are advised to upgrade. There are no known workarounds for this issue.
EPSS 0.11% · 28.8th percentile
Risk Scores
CVSS v3.1
7.300000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score
0.11%
28.8th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| matrix-org | dendrite | < 0.9.8 |
| github.com | matrix-org/dendrite | 0 |
| matrix | dendrite | 0 |
Timeline
- Sep 12, 2022 CVE Published
- Sep 13, 2022 EPSS Score
- Sep 15, 2022 CVE Updated
- Oct 28, 2022 EPSS Score
- Dec 12, 2022 EPSS Score
- Jan 26, 2023 EPSS Score
- Mar 7, 2023 EPSS Score
- Mar 12, 2023 EPSS Score
- Apr 26, 2023 EPSS Score
- Jun 10, 2023 EPSS Score
- Jul 25, 2023 EPSS Score
- Sep 7, 2023 EPSS Score