Back

CVE-2024-31208

April 23, 2024, 6:15 p.m.

Received
CVE has been recently published to the CVE List and has been received by the NVD.

Products

Synapse Matrix homeserver

  • before 1.105.1

Source

security-advisories@github.com

Tags

CVE-2024-31208 details

Published : April 23, 2024, 6:15 p.m.
Last Modified : April 23, 2024, 6:15 p.m.

Description

Synapse is an open-source Matrix homeserver. A remote Matrix user with malicious intent, sharing a room with Synapse instances before 1.105.1, can dispatch specially crafted events to exploit a weakness in the V2 state resolution algorithm. This can induce high CPU consumption and accumulate excessive data in the database of such instances, resulting in a denial of service. Servers in private federations, or those that do not federate, are not affected. Server administrators should upgrade to 1.105.1 or later. Some workarounds are available. One can ban the malicious users or ACL block servers from the rooms and/or leave the room and purge the room using the admin API.

CVSS Score

1 2 3 4 5 6.5 7 8 9 10

Weakness

Weakness Name Description

CVSS Data

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

Base Score

6.5

Exploitability Score

Impact Score

Base Severity

MEDIUM

Vector String : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References

URL Source
https://github.com/element-hq/synapse/commit/55b0aa847a61774b6a3acdc4b177a20dc019f01a security-advisories@github.com
https://github.com/element-hq/synapse/releases/tag/v1.105.1 security-advisories@github.com
https://github.com/element-hq/synapse/security/advisories/GHSA-3h7q-rfh9-xm4v security-advisories@github.com
This website uses the NVD API, but is not approved or certified by it.