Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-4f74-84v3-j9q5

GitHub Security Advisory

matrix-synapse vulnerable to temporary storage of plaintext passwords during password changes

✓ GitHub Reviewed LOW Has CVE
View on GitHub

Advisory Details

### Impact

When users update their passwords, the new credentials may be briefly held in the server database. While this doesn't grant the server any added capabilities—it already learns the users' passwords as part of the authentication process—it does disrupt the expectation that passwords won't be stored in the database. As a result, these passwords could inadvertently be captured in database backups for a longer duration.

These temporarily stored passwords are automatically erased after a 48-hour window.

### Patches
https://github.com/matrix-org/synapse/pull/16272

### References

This bug was due to a regression in https://github.com/matrix-org/synapse/pull/13188.

Affected Packages

PyPI matrix-synapse
Affected versions: 1.66.0 (fixed in 1.93.0)

Related CVEs

CVE-2023-41335

Key Information

GHSA ID
GHSA-4f74-84v3-j9q5
Published
September 26, 2023 6:55 PM
Last Modified
September 30, 2024 8:42 PM
CVSS Score
2.5 /10
Primary Ecosystem
PyPI
Primary Package
matrix-synapse
GitHub Reviewed
✓ Yes

Dataset

Last updated: September 13, 2025 6:30 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.