CVE-2023-45129
matrix-synapse vulnerable to denial of service due to malicious server ACL events
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. Prior to version 1.94.0, a malicious server ACL event can impact performance temporarily or permanently leading to a persistent denial of service. Homeservers running on a closed federation (which presumably do not need to use server ACLs) are not affected. Server administrators are advised to upgrade to Synapse 1.94.0 or later. As a workaround, rooms with malicious server ACL events can be purged and blocked using the admin API.
Synapse es un servidor doméstico Matrix de código abierto escrito y mantenido por la Fundación Matrix.org. Antes de la versión 1.94.0, un evento de ACL de servidor malicioso podía afectar el rendimiento de forma temporal o permanente y provocar una denegación de servicio persistente. Los servidores domésticos que se ejecutan en una federación cerrada (que presumiblemente no necesitan usar ACL de servidor) no se ven afectados. Se recomienda a los administradores del servidor que actualicen a Synapse 1.94.0 o posterior. Como workaround, las salas con eventos de ACL de servidor maliciosos se pueden eliminar y bloquear mediante la API de administración.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2023-10-04 CVE Reserved
- 2023-10-10 CVE Published
- 2024-08-02 CVE Updated
- 2024-10-16 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-770: Allocation of Resources Without Limits or Throttling
CAPEC
References (7)
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://github.com/matrix-org/synapse/pull/16360 | 2024-01-07 |
URL | Date | SRC |
---|---|---|
https://github.com/matrix-org/synapse/security/advisories/GHSA-5chr-wjw5-3gq4 | 2024-01-07 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Matrix Search vendor "Matrix" | Synapse Search vendor "Matrix" for product "Synapse" | < 1.94.0 Search vendor "Matrix" for product "Synapse" and version " < 1.94.0" | - |
Affected
| ||||||
Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 37 Search vendor "Fedoraproject" for product "Fedora" and version "37" | - |
Affected
| ||||||
Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 38 Search vendor "Fedoraproject" for product "Fedora" and version "38" | - |
Affected
|