CVE-2024-52805

Name
CVE-2024-52805
Description
Synapse is an open-source Matrix homeserver. In Synapse before 1.120.1, multipart/form-data requests can in certain configurations transiently increase memory consumption beyond expected levels while processing the request, which can be used to amplify denial of service attacks. Synapse 1.120.1 resolves the issue by denying requests with unsupported multipart/form-data content type.
NVD Severity
high
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
CONFIRM https://github.com/element-hq/synapse/security/advisories/GHSA-rfq8-j7rh-8hf2
MISC https://github.com/twisted/twisted/issues/4688#issuecomment-1167705518
MISC https://github.com/twisted/twisted/issues/4688#issuecomment-2385711609

Match rules

CPE URI Source package Min version Max version
synapse >= 0 < 1.120.1
cpe:2.3:a:element-hq:synapse:*:*:*:*:*:*:*:* synapse >= 0 < 1.120.1

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
synapse edge-community 1.120.2-r0 jahway603 <jahway603@protonmail.com> fixed
synapse 3.21-community 1.120.2-r0 jahway603 <jahway603@protonmail.com> fixed