CVE-2023-45129Allocation of Resources Without Limits or Throttling in Synapse

CWE-770Allocation of Resources Without Limits or Throttling7 documents6 sources
Severity
4.9MEDIUMNVD
EPSS
0.2%
top 52.42%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Matrix-org SynapseMatrix SynapseFedoraproject Fedora
Timeline
PublishedOct 10

Description

Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. Prior to version 1.94.0, a malicious server ACL event can impact performance temporarily or permanently leading to a persistent denial of service. Homeservers running on a closed federation (which presumably do not need to use server ACLs) are not affected. Server administrators are advised to upgrade to Synapse 1.94.0 or later. As a workaround, rooms with malicious server ACL events can be purged an

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:HExploitability: 1.2 | Impact: 3.6

Affected Packages2 packages

NVDmatrix/synapse< 1.94.0
CVEListV5matrix-org/synapse< 1.94.0

Also affects: Fedora 37, 38

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

4
CVEList
matrix-synapse vulnerable to denial of service due to malicious server ACL events2023-10-10
OSV
CVE-2023-45129: Synapse is an open-source Matrix homeserver written and maintained by the Matrix2023-10-10
OSV
matrix-synapse vulnerable to denial of service due to malicious server ACL events2023-10-10
GHSA
matrix-synapse vulnerable to denial of service due to malicious server ACL events2023-10-10

📋Vendor Advisories

2
Red Hat
synapse: malicious ACL event can cause denial of service2023-10-10
Debian
CVE-2023-45129: matrix-synapse - Synapse is an open-source Matrix homeserver written and maintained by the Matrix...2023
CVE-2023-45129 — Matrix-org Synapse vulnerability | cvebase