Vulnerability Report: GO-2022-0952
- CVE-2022-36009, GHSA-grvv-h2f9-7v9c
- Affects: github.com/matrix-org/gomatrixserverlib
- Published: Aug 22, 2022
- Modified: May 20, 2024
Power level parsing does not parse the "events_default" key of the m.room.power_levels event, setting the event default power level to zero in all cases. This can cause events to be improperly accepted or rejected in rooms where the event_default power level has been changed.
Affected Packages
-
PathGo VersionsSymbols
-
before v0.0.0-20220815091947-723fd495dde8
16 affected symbols
- Allowed
- Event.PowerLevels
- EventsLoader.LoadAndVerify
- HeaderedReverseTopologicalOrdering
- NewPowerLevelContentFromAuthEvents
- NewPowerLevelContentFromEvent
- RequestBackfill
- ResolveConflicts
- ResolveStateConflicts
- ResolveStateConflictsV2
- RespSendJoin.Check
- RespState.Check
- RespState.Events
- ReverseTopologicalOrdering
- VerifyAuthRulesAtState
- VerifyEventAuthChain
Aliases
References
- https://github.com/matrix-org/gomatrixserverlib/commit/723fd495dde835d078b9f2074b6b62c06dea4575
- https://vuln.go.dev/ID/GO-2022-0952.json
Feedback
See anything missing or incorrect?
Suggest an edit to this report.