CVE-2023-41335: 
Python vulnerability analysis and mitigation

Synapse, an open-source Matrix homeserver written and maintained by the Matrix.org Foundation, was found to have a vulnerability (CVE-2023-41335) where users' new passwords could be temporarily stored in the server database during password changes. The vulnerability affects versions from 1.66.0 up to (excluding) 1.93.0, and was discovered and patched in September 2023 (Matrix Advisory).

The vulnerability involves the temporary storage of plaintext passwords in the server database during password change operations. While the server already processes users' passwords during authentication, this storage behavior was unintended and could result in passwords being retained in database backups. The passwords would automatically be erased after a 48-hour window. The vulnerability has been assigned a CVSS v3.1 base score of 3.7 (LOW) with vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N (NVD).

The primary impact of this vulnerability is the potential exposure of user passwords through database backups. While the server already processes passwords during authentication, the unintended storage creates an additional security risk by keeping sensitive credentials in the database longer than necessary. This could lead to password exposure if database backups are compromised (Matrix Advisory).

The vulnerability has been fixed in Synapse version 1.93.0. Users are advised to upgrade to this version or later. There are no known workarounds for this issue other than upgrading to the patched version (Matrix Advisory).

The vulnerability was addressed through coordinated security updates across multiple platforms. Fedora Project released security updates for versions 37, 38, and 39, while Gentoo also issued an advisory recommending users upgrade to version 1.96.0 or later (Fedora Update, Gentoo Advisory).