FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

dendrite -- Incorrect parsing of the event default power level in event auth

Affected packages
dendrite < 0.9.3

Details

VuXML ID d658042c-1c98-11ed-95f8-901b0e9408dc
Discovery 2022-08-15
Entry 2022-08-15
Modified 2022-08-25

Dendrite team reports:

The power level parsing within gomatrixserverlib was failing to parse the "events_default" key of the m.room.power_levels event, defaulting the event default power level to zero in all cases.

In rooms where the "events_default" power level had been changed, this could result in events either being incorrectly authorised or rejected by Dendrite servers.

References

CVE Name CVE-2022-36009
URL https://github.com/matrix-org/gomatrixserverlib/security/advisories/GHSA-grvv-h2f9-7v9c