CVE-2024-37302Allocation of Resources Without Limits or Throttling in Synapse

CWE-770Allocation of Resources Without Limits or Throttling6 documents5 sources
Severity
7.5HIGHNVD
EPSS
0.5%
top 34.82%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Element-hq SynapseMatrix Synapse
Timeline
PublishedDec 3

Description

Synapse is an open-source Matrix homeserver. Synapse versions before 1.106 are vulnerable to a disk fill attack, where an unauthenticated adversary can induce Synapse to download and cache large amounts of remote media. The default rate limit strategy is insufficient to mitigate this. This can lead to a denial of service, ranging from further media uploads/downloads failing to completely unavailability of the Synapse process, depending on how Synapse was deployed. Synapse 1.106 introduces a new

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

NVDmatrix/synapse< 1.106.0
CVEListV5element-hq/synapse< 1.106

🔴Vulnerability Details

4
CVEList
Synapse denial of service through media disk space consumption2024-12-03
OSV
CVE-2024-37302: Synapse is an open-source Matrix homeserver2024-12-03
GHSA
Synapse denial of service through media disk space consumption2024-12-03
OSV
Synapse denial of service through media disk space consumption2024-12-03

📋Vendor Advisories

1
Debian
CVE-2024-37302: matrix-synapse - Synapse is an open-source Matrix homeserver. Synapse versions before 1.106 are v...2024
CVE-2024-37302 — Element-hq Synapse vulnerability | cvebase