CVE-2024-31208

Name
CVE-2024-31208
Description
Synapse is an open-source Matrix homeserver. A remote Matrix user with malicious intent, sharing a room with Synapse instances before 1.105.1, can dispatch specially crafted events to exploit a weakness in the V2 state resolution algorithm. This can induce high CPU consumption and accumulate excessive data in the database of such instances, resulting in a denial of service. Servers in private federations, or those that do not federate, are not affected. Server administrators should upgrade to 1.105.1 or later. Some workarounds are available. One can ban the malicious users or ACL block servers from the rooms and/or leave the room and purge the room using the admin API.
NVD Severity
unknown
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
security-advisories@github.com https://github.com/element-hq/synapse/commit/55b0aa847a61774b6a3acdc4b177a20dc019f01a
security-advisories@github.com https://github.com/element-hq/synapse/releases/tag/v1.105.1
security-advisories@github.com https://github.com/element-hq/synapse/security/advisories/GHSA-3h7q-rfh9-xm4v
security-advisories@github.com https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R6FCCO4ODTZ3FDS7TMW76PKOSEL2TQVB/
security-advisories@github.com https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RR53FNHV446CB37TP45GZ6F6HZLZCK3K/
security-advisories@github.com https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSF4NJJSTSQRJQ47PLYYSCFYKJBP7DET/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:matrix:synapse:*:*:*:*:*:*:*:* synapse >= None < 1.105.1

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
synapse edge-community 1.105.1-r0 6543 <6543@obermui.de> fixed
synapse edge-community 1.95.1-r0 6543 <6543@obermui.de> possibly vulnerable
synapse edge-community 1.94.0-r0 6543 <6543@obermui.de> possibly vulnerable
synapse edge-community 1.93.0-r0 6543 <6543@obermui.de> possibly vulnerable
synapse edge-community 1.85.1-r0 6543 <6543@obermui.de> possibly vulnerable
synapse edge-community 1.74.0-r0 6543 <6543@obermui.de> possibly vulnerable
synapse edge-community 1.69.0-r0 None possibly vulnerable
synapse edge-community 1.68.0-r0 None possibly vulnerable
synapse edge-community 1.61.1-r0 6543 <6543@obermui.de> possibly vulnerable
synapse edge-community 1.47.1-r0 Leo <thinkabit.ukim@gmail.com> possibly vulnerable
synapse edge-community 1.41.1-r0 Leo <thinkabit.ukim@gmail.com> possibly vulnerable
synapse edge-community 1.33.2-r0 None possibly vulnerable
synapse edge-community 1.30.1-r0 None possibly vulnerable
synapse edge-community 1.24.0-r0 None possibly vulnerable
synapse edge-community 1.21.1-r0 None possibly vulnerable
synapse edge-community 1.20.0-r0 None possibly vulnerable
synapse 3.22-community 1.105.1-r0 None fixed
synapse 3.22-community 1.95.1-r0 None possibly vulnerable
synapse 3.22-community 1.94.0-r0 None possibly vulnerable
synapse 3.22-community 1.93.0-r0 None possibly vulnerable
synapse 3.22-community 1.85.1-r0 None possibly vulnerable
synapse 3.22-community 1.74.0-r0 None possibly vulnerable
synapse 3.22-community 1.69.0-r0 None possibly vulnerable
synapse 3.22-community 1.68.0-r0 None possibly vulnerable
synapse 3.22-community 1.61.1-r0 None possibly vulnerable
synapse 3.22-community 1.47.1-r0 None possibly vulnerable
synapse 3.22-community 1.41.1-r0 None possibly vulnerable
synapse 3.22-community 1.33.2-r0 None possibly vulnerable
synapse 3.22-community 1.30.1-r0 None possibly vulnerable
synapse 3.22-community 1.24.0-r0 None possibly vulnerable
synapse 3.22-community 1.21.1-r0 None possibly vulnerable
synapse 3.22-community 1.20.0-r0 None possibly vulnerable
synapse 3.21-community 1.105.1-r0 None fixed
synapse 3.20-community 1.105.1-r0 None fixed