---

CVE-2019-5885 - log back

CVE-2019-5885 created at 25 Sep 2019 19:31:40
Severity	+ High
Remote	+ Local
Type	+ Private key recovery
Description	+ matrix-synapse before 0.34.1 is vulnerable to private key recovery as synapse will attempt to derive a secret key from other secrets specified in the configuration file for "macaroon_secret_key". However, in all versions of Synapse up to and including 0.34.0, this process was faulty and a predictable value was used instead.
References	+ https://matrix.org/blog/2019/01/15/further-details-on-critical-security-update-in-synapse-affecting-all-versions-prior-to-0-34-1-cve-2019-5885/
Notes