CVE-2023-41335— Temporary storage of plaintext passwords during password changes in matrix synapse
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2023-41335
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Temporary storage of plaintext passwords during password changes in matrix synapse
Source: NVD (National Vulnerability Database)
Vulnerability Description
Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. When users update their passwords, the new credentials may be briefly held in the server database. While this doesn't grant the server any added capabilities—it already learns the users' passwords as part of the authentication process—it does disrupt the expectation that passwords won't be stored in the database. As a result, these passwords could inadvertently be captured in database backups for a longer duration. These temporarily stored passwords are automatically erased after a 48-hour window. This issue has been addressed in version 1.93.0. Users are advised to upgrade. There are no known workarounds for this issue.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
敏感数据的明文存储
Source: NVD (National Vulnerability Database)
Vulnerability Title
Synapse 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
synapse是一个应用程序。用于开放式联合即时消息和VoIP Synapse存在安全漏洞,该漏洞源于在密码更改期间临时存储了明文密码。受影响的产品和版本;Synapse 1.66.0至1.93.0之前版本。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| matrix-org | synapse | >= 1.66.0, < 1.93.0 | - |
II. Public POCs for CVE-2023-41335
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2023-41335
请登录查看更多情报信息。
- https://github.com/matrix-org/synapse/pull/16272x_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2023-41335
IV. Related Vulnerabilities
Same product: synapse
- CVE-2025-61672
Synapse: Invalid device keys degrade federation functionalit - CVE-2025-30355
Synapse vulnerable to federation denial of service via malfo - CVE-2024-37303
Synapse unauthenticated writes to the media repository allow - CVE-2024-37302
Synapse denial of service through media disk space consumpti - CVE-2024-52805
Synapse allows unsupported content types to lead to memory e
Same vendor: matrix-org
- CVE-2025-66622
matrix-sdk-base is vulnerable to DoS via custom m.room.join_ - CVE-2025-59160
matrix-js-sdk has insufficient validation when considering a - CVE-2025-59047
matrix-sdk-base has panic in the `RoomMember::normalized_pow - CVE-2025-53549
Matrix Rust SDK allows SQL injection in the EventCache imple - CVE-2025-48937
matrix-sdk-crypto vulnerable to sender of encrypted events b
Same weakness: CWE-312
- CVE-2026-7163
Assisted-service: assisted-service: authenticated users can - CVE-2026-41385
OpenClaw < 2026.3.31 - Nostr Private Key Exposure via config - CVE-2026-6553
TYPO3 CMS Stores Cleartext Password in User Settings Module - CVE-2026-35644
OpenClaw < 2026.3.22 - Credential Exposure via baseUrl Field - CVE-2025-14815
Information Disclosure, Tampering, and Denial-of-Service Vul
V. Comments for CVE-2023-41335
No comments yet