PYSEC-2023-199

2023-10-1018:15:00

Google

osv.dev

synapse homeserver

matrix.org foundation

denial of service

version 1.94.0

server administrators

4.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

7.1 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

49.0%

JSON

Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. Prior to version 1.94.0, a malicious server ACL event can impact performance temporarily or permanently leading to a persistent denial of service. Homeservers running on a closed federation (which presumably do not need to use server ACLs) are not affected. Server administrators are advised to upgrade to Synapse 1.94.0 or later. As a workaround, rooms with malicious server ACL events can be purged and blocked using the admin API.

CPENameOperatorVersion
matrix-synapseeq1.19.0
matrix-synapseeq1.56.0
matrix-synapseeq1.52.0rc1
matrix-synapseeq1.56.0rc1
matrix-synapseeq1.3.0rc1
matrix-synapseeq1.66.0rc1
matrix-synapseeq1.92.0rc1
matrix-synapseeq1.73.0rc2
matrix-synapseeq1.9.0.dev2
matrix-synapseeq1.13.0rc1

Name	Operator	Version
matrix-synapse	eq	1.19.0
matrix-synapse	eq	1.56.0
matrix-synapse	eq	1.52.0rc1
matrix-synapse	eq	1.56.0rc1
matrix-synapse	eq	1.3.0rc1
matrix-synapse	eq	1.66.0rc1
matrix-synapse	eq	1.92.0rc1
matrix-synapse	eq	1.73.0rc2
matrix-synapse	eq	1.9.0.dev2
matrix-synapse	eq	1.13.0rc1