Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS01Y2hyLXdqdzUtM2dxNM4AA2X1
matrix-synapse vulnerable to denial of service due to malicious server ACL events
Impact
A malicious server ACL event can impact performance temporarily or permanently leading to a persistent denial of service.
Homeservers running on a closed federation (which presumably do not need to use server ACLs) are not affected.
Patches
Server administrators are advised to upgrade to Synapse 1.94.0 or later.
Workarounds
Rooms with malicious server ACL events can be purged and blocked using the admin API.
Permalink: https://github.com/advisories/GHSA-5chr-wjw5-3gq4JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01Y2hyLXdqdzUtM2dxNM4AA2X1
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 1 year ago
Updated: 3 months ago
CVSS Score: 4.9
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
EPSS Percentage: 0.00171
EPSS Percentile: 0.54354
Identifiers: GHSA-5chr-wjw5-3gq4, CVE-2023-45129
References:
- https://github.com/matrix-org/synapse/security/advisories/GHSA-5chr-wjw5-3gq4
- https://nvd.nist.gov/vuln/detail/CVE-2023-45129
- https://github.com/matrix-org/synapse/pull/16360
- https://github.com/matrix-org/synapse/commit/f84da3c32ec74cf054e2fd6d10618aa4997cffaa
- https://matrix-org.github.io/synapse/latest/admin_api/rooms.html#version-2-new-version
- https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2023-199.yaml
- https://security.gentoo.org/glsa/202401-12
- https://lists.fedoraproject.org/archives/list/[email protected]/message/KEVRB4MG5UXQ5RLZHSUJXM5GWEBYYS5B
- https://lists.fedoraproject.org/archives/list/[email protected]/message/N6P4QULVUE254WI7XF2LWWOGHCYVFXFY
- https://lists.fedoraproject.org/archives/list/[email protected]/message/WRO4MPQ6HOXIUZM6RJP6VTCTMV7RD2T3
- https://github.com/advisories/GHSA-5chr-wjw5-3gq4
Blast Radius: 6.9
Affected Packages
pypi:matrix-synapse
Dependent packages: 6Dependent repositories: 26
Downloads: 56,072 last month
Affected Version Ranges: < 1.94.0
Fixed in: 1.94.0
All affected versions: 0.33.5, 0.33.6, 0.33.7, 0.33.8, 0.33.9, 0.34.0, 0.99.0, 0.99.1, 0.99.2, 0.99.3, 0.99.4, 0.99.5, 1.0.0, 1.1.0, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.5.0, 1.5.1, 1.6.0, 1.6.1, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.8.0, 1.9.0, 1.9.1, 1.10.0, 1.10.1, 1.11.0, 1.11.1, 1.12.0, 1.12.1, 1.12.2, 1.12.3, 1.12.4, 1.13.0, 1.14.0, 1.15.0, 1.15.1, 1.15.2, 1.16.0, 1.16.1, 1.17.0, 1.18.0, 1.19.0, 1.19.1, 1.19.2, 1.19.3, 1.20.0, 1.20.1, 1.21.0, 1.21.1, 1.21.2, 1.22.0, 1.22.1, 1.23.0, 1.23.1, 1.24.0, 1.25.0, 1.26.0, 1.27.0, 1.28.0, 1.29.0, 1.30.0, 1.30.1, 1.31.0, 1.32.0, 1.32.1, 1.32.2, 1.33.0, 1.33.1, 1.33.2, 1.34.0, 1.35.0, 1.35.1, 1.36.0, 1.37.0, 1.37.1, 1.38.0, 1.38.1, 1.39.0, 1.40.0, 1.41.0, 1.41.1, 1.42.0, 1.43.0, 1.44.0, 1.45.0, 1.45.1, 1.46.0, 1.47.0, 1.47.1, 1.48.0, 1.49.0, 1.49.2, 1.50.0, 1.50.1, 1.50.2, 1.51.0, 1.52.0, 1.53.0, 1.54.0, 1.55.0, 1.55.1, 1.55.2, 1.56.0, 1.57.0, 1.57.1, 1.58.0, 1.58.1, 1.59.0, 1.59.1, 1.60.0, 1.61.0, 1.61.1, 1.62.0, 1.63.0, 1.63.1, 1.64.0, 1.65.0, 1.66.0, 1.67.0, 1.68.0, 1.69.0, 1.70.0, 1.70.1, 1.71.0, 1.72.0, 1.73.0, 1.74.0, 1.75.0, 1.76.0, 1.77.0, 1.78.0, 1.79.0, 1.80.0, 1.81.0, 1.82.0, 1.83.0, 1.84.0, 1.84.1, 1.85.0, 1.85.1, 1.85.2, 1.86.0, 1.87.0, 1.88.0, 1.89.0, 1.90.0, 1.91.0, 1.91.1, 1.91.2, 1.92.1, 1.92.2, 1.92.3, 1.93.0
All unaffected versions: 1.94.0, 1.95.0, 1.95.1, 1.96.1, 1.97.0, 1.98.0, 1.99.0, 1.100.0, 1.101.0, 1.102.0, 1.103.0, 1.104.0, 1.105.0, 1.105.1, 1.106.0, 1.107.0, 1.108.0, 1.109.0, 1.110.0, 1.111.0, 1.111.1, 1.112.0, 1.113.0, 1.114.0, 1.115.0, 1.116.0, 1.117.0, 1.118.0, 1.119.0, 1.120.0, 1.120.2, 1.121.0