CVE-2022-39335: 
Python vulnerability analysis and mitigation

Synapse, an open-source Matrix homeserver written and maintained by the Matrix.org Foundation, was found to have a vulnerability in versions up to and including 1.68.0. The vulnerability (CVE-2022-39335) relates to insufficient authorization checks when remote homeservers request authorization events in a room through the Matrix Federation API. The issue was discovered and patched in Synapse version 1.69.0 (Matrix Advisory).

The vulnerability stems from insufficient validation when processing authorization event requests from remote homeservers. When a homeserver receives events, it needs to validate their legitimacy by requesting authorization events, but Synapse failed to properly verify if the requesting server should have access to these events. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.0 (Medium) with vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L (NVD).

The vulnerability exposes authorization events which include power level events (containing user IDs and their power levels), membership events (including display names), and other room-related events like m.room.create, m.room.thirdpartyinvite, and m.room.join_rules. However, the exploitation requires knowledge of both the target room ID and an event ID from that room. Message contents remain protected as non-authorization events are unaffected. The impact is considered negligible for public rooms and closed federation deployments (Matrix Advisory).

The primary mitigation is to upgrade to Synapse version 1.69.0 or later, which contains the patch for this vulnerability. As a workaround, administrators can configure Synapse with a federationdomainwhitelist to limit federation to trusted servers. However, this workaround is impractical for homeservers participating in open federation as it would cause inconsistent message delivery delays (Matrix Advisory).