CVE-2024-31208

Synapse's V2 state resolution weakness allows DoS from remote room members

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

Synapse is an open-source Matrix homeserver. A remote Matrix user with malicious intent, sharing a room with Synapse instances before 1.105.1, can dispatch specially crafted events to exploit a weakness in the V2 state resolution algorithm. This can induce high CPU consumption and accumulate excessive data in the database of such instances, resulting in a denial of service. Servers in private federations, or those that do not federate, are not affected. Server administrators should upgrade to 1.105.1 or later. Some workarounds are available. One can ban the malicious users or ACL block servers from the rooms and/or leave the room and purge the room using the admin API.

Synapse es un servidor doméstico Matrix de código abierto. Un usuario remoto de Matrix con intenciones maliciosas, que comparte una sala con instancias de Synapse anteriores a 1.105.1, puede enviar eventos especialmente diseñados para explotar una debilidad en el algoritmo de resolución de estado V2. Esto puede inducir un alto consumo de CPU y acumular datos excesivos en la base de datos de dichas instancias, lo que resulta en una denegación de servicio. Los servidores de federaciones privadas, o aquellos que no se federan, no se ven afectados. Los administradores del servidor deben actualizar a 1.105.1 o posterior. Algunas soluciones están disponibles. Se puede prohibir a los usuarios malintencionados o a los servidores de bloqueo ACL de las salas y/o abandonar la sala y purgarla utilizando la API de administración.

*Credits: N/A

CVSS Scores

GitHubv3.1 6.5

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-03-29 CVE Reserved
2024-04-23 CVE Published
2024-05-03 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-770: Allocation of Resources Without Limits or Throttling

CAPEC

References (6)

URL	Tag	Source
https://github.com/element-hq/synapse/commit/55b0aa847a61774b6a3acdc4b177a20dc019f01a	X_refsource_misc
https://github.com/element-hq/synapse/releases/tag/v1.105.1	X_refsource_misc
https://github.com/element-hq/synapse/security/advisories/GHSA-3h7q-rfh9-xm4v	X_refsource_confirm
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R6FCCO4ODTZ3FDS7TMW76PKOSEL2TQVB
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RR53FNHV446CB37TP45GZ6F6HZLZCK3K
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSF4NJJSTSQRJQ47PLYYSCFYKJBP7DET

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Element-hq Search vendor "Element-hq"		Synapse Search vendor "Element-hq" for product "Synapse"				< 1.105.1 Search vendor "Element-hq" for product "Synapse" and version " < 1.105.1"		en		Affected