CVE-2023-41335

Temporary storage of plaintext passwords during password changes in matrix synapse

Description

Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. When users update their passwords, the new credentials may be briefly held in the server database. While this doesn't grant the server any added capabilities—it already learns the users' passwords as part of the authentication process—it does disrupt the expectation that passwords won't be stored in the database. As a result, these passwords could inadvertently be captured in database backups for a longer duration. These temporarily stored passwords are automatically erased after a 48-hour window. This issue has been addressed in version 1.93.0. Users are advised to upgrade. There are no known workarounds for this issue.

Category

3.7
CVSS
Severity: Low
CVSS 3.1 •
EPSS 0.08%
Vendor Advisory github.com
Affected: matrix-org synapse
Published at:
Updated at:

References

Link Tags
https://github.com/matrix-org/synapse/security/advisories/GHSA-4f74-84v3-j9q5 patch vendor advisory
https://github.com/matrix-org/synapse/pull/16272 patch
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/65QPC55I4D27HIZP7H2NQ34EOXHPP4AO/ mailing list release notes
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AFB2Y3S2VCPCN5P2XCZTG24MBMZ7DM4/ mailing list release notes
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N6P4QULVUE254WI7XF2LWWOGHCYVFXFY/
https://security.gentoo.org/glsa/202401-12

Frequently Asked Questions

What is the severity of CVE-2023-41335?
CVE-2023-41335 has been scored as a low severity vulnerability.
How to fix CVE-2023-41335?
To fix CVE-2023-41335, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2023-41335 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2023-41335 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-41335?
CVE-2023-41335 affects matrix-org synapse.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.