CVE-2023-45129

EPSS 0.25%
Published 10.10.2023 18:15:19
Last modified 21.11.2024 08:26:24
Source security-advisories@github.com
Teams watchlist Login
Open Login

Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. Prior to version 1.94.0, a malicious server ACL event can impact performance temporarily or permanently leading to a persistent denial of service. Homeservers running on a closed federation (which presumably do not need to use server ACLs) are not affected. Server administrators are advised to upgrade to Synapse 1.94.0 or later. As a workaround, rooms with malicious server ACL events can be purged and blocked using the admin API.

Affected products Warnungen 0 Metrics 3 CWE 1 References 10

Data is provided by the National Vulnerability Database (NVD)

Matrix ≫ Synapse Version < 1.94.0

Fedoraproject ≫ Fedora Version37

Fedoraproject ≫ Fedora Version38

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.25%	0.484

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	4.9	1.2	3.6	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
security-advisories@github.com	4.9	1.2	3.6	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

CWE-770 Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N6P4QULVUE254WI7XF2LWWOGHCYVFXFY/

https://security.gentoo.org/glsa/202401-12

https://github.com/matrix-org/synapse/pull/16360

Patch

Vendor Advisory

https://github.com/matrix-org/synapse/security/advisories/GHSA-5chr-wjw5-3gq4

Vendor Advisory

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KEVRB4MG5UXQ5RLZHSUJXM5GWEBYYS5B/

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WRO4MPQ6HOXIUZM6RJP6VTCTMV7RD2T3/

Mailing List

https://matrix-org.github.io/synapse/latest/admin_api/rooms.html#version-2-new-version

Release Notes

https://nvd.nist.gov/vuln/detail/CVE-2023-45129

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-45129

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-45129

EUVD