Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-grvv-h2f9-7v9c

GitHub Security Advisory

gomatrixserverlib and Dendrite vulnerable to incorrect parsing of the event default power level in event auth

✓ GitHub Reviewed MODERATE Has CVE
View on GitHub

Advisory Details

### Impact

The power level parsing within gomatrixserverlib was failing to parse the `"events_default"` key of the `m.room.power_levels` event, defaulting the event default power level to zero in all cases.

In rooms where the `"events_default"` power level had been changed, this could result in events either being incorrectly authorised or rejected by Dendrite servers.

### Patches

gomatrixserverlib contains a fix as of commit `723fd49` and Dendrite 0.9.3 has been updated accordingly.

### Workarounds

Matrix rooms where the `"events_default"` power level has not been changed from the default of zero are not vulnerable.

### For more information

If you have any questions or comments about this advisory, e-mail us at [[email protected]](mailto:[email protected]).

Affected Packages

Go github.com/matrix-org/dendrite
Affected versions: 0 (fixed in 0.9.3)
Go github.com/matrix-org/gomatrixserverlib
Affected versions: 0 (fixed in 0.0.0-20220815091947-723fd495dde8)

Related CVEs

CVE-2022-36009

Key Information

GHSA ID
GHSA-grvv-h2f9-7v9c
Published
August 30, 2022 7:54 PM
Last Modified
August 30, 2022 7:54 PM
CVSS Score
5.0 /10
Primary Ecosystem
Go
Primary Package
github.com/matrix-org/dendrite
GitHub Reviewed
✓ Yes

Dataset

Last updated: September 14, 2025 6:31 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.