blob: c8bddc70acb195765d57c406a8c40e4abe281780 [file] [log] [blame]
id: GO-2022-0952
modules:
- module: github.com/matrix-org/gomatrixserverlib
versions:
- fixed: 0.0.0-20220815091947-723fd495dde8
vulnerable_at: 0.0.0-20220812132423-6a49c18a298a
packages:
- package: github.com/matrix-org/gomatrixserverlib
symbols:
- NewPowerLevelContentFromEvent
derived_symbols:
- Allowed
- Event.PowerLevels
- EventsLoader.LoadAndVerify
- HeaderedReverseTopologicalOrdering
- NewPowerLevelContentFromAuthEvents
- RequestBackfill
- ResolveConflicts
- ResolveStateConflicts
- ResolveStateConflictsV2
- RespSendJoin.Check
- RespState.Check
- RespState.Events
- ReverseTopologicalOrdering
- VerifyAuthRulesAtState
- VerifyEventAuthChain
summary: Incorrect event parsing in github.com/matrix-org/gomatrixserverlib
description: |-
Power level parsing does not parse the "events_default" key of the
m.room.power_levels event, setting the event default power level to zero in all
cases. This can cause events to be improperly accepted or rejected in rooms
where the event_default power level has been changed.
published: 2022-08-22T18:08:50Z
cves:
- CVE-2022-36009
ghsas:
- GHSA-grvv-h2f9-7v9c
references:
- fix: https://github.com/matrix-org/gomatrixserverlib/commit/723fd495dde835d078b9f2074b6b62c06dea4575
review_status: REVIEWED