CVE-2019-5885 log

Severity High
Remote No
Type Private key recovery
matrix-synapse before 0.34.1 is vulnerable to private key recovery as synapse will attempt to derive a secret key from other secrets specified in the configuration file for "macaroon_secret_key". However, in all versions of Synapse up to and including 0.34.0, this process was faulty and a predictable value was used instead.
Group Package Affected Fixed Severity Status Ticket
AVG-846 matrix-synapse 0.34.0-1 High Fixed
Date Advisory Group Package Severity Type
24 Jan 2019 ASA-201901-12 AVG-846 matrix-synapse High private key recovery