---

CVE-2020-26257 - log back

CVE-2020-26257 edited at 09 Dec 2020 23:18:46
Notes	Workaround ========== - This issue can be mitigated by disabling federation requests from untrusted servers. + This issue can be mitigated by limiting access to the federation API to trusted servers (for example by using federation_domain_whitelist).

CVE-2020-26257 edited at 09 Dec 2020 18:41:30
Severity	- Unknown + Medium
Remote	- Unknown + Remote
Type	- Unknown + Denial of service
Description	+ A security issue was found in matrix-synapse before version 1.23.1. A malicious or poorly-implemented homeserver can inject malformed events into a room by specifying a different room id in the path of a /send_join, /send_leave, /invite or /exchange_third_party_invite request. This can lead to a denial of service in which future events will not be correctly sent to other servers over federation. This affects any server which accepts federation requests from untrusted servers.
References	+ https://github.com/matrix-org/synapse/security/advisories/GHSA-hxmp-pqch-c8mm + https://github.com/matrix-org/synapse/pull/8776 + https://github.com/matrix-org/synapse/commit/3ce2f303f15f6ac3dc352298972dc6e04d9b7a8b
Notes	+ Workaround + ========== + + This issue can be mitigated by disabling federation requests from untrusted servers.

CVE-2020-26257 created at 09 Dec 2020 18:36:58