CVE-2024-52815

Name
CVE-2024-52815
Description
Synapse is an open-source Matrix homeserver. Synapse versions before 1.120.1 fail to properly validate invites received over federation. This vulnerability allows a malicious server to send a specially crafted invite that disrupts the invited user's /sync functionality. Synapse 1.120.1 rejects such invalid invites received over federation and restores the ability to sync for affected users.
NVD Severity
high
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
CONFIRM https://github.com/element-hq/synapse/security/advisories/GHSA-f3r3-h2mq-hx2h

Match rules

CPE URI Source package Min version Max version
synapse >= 0 < 1.120.1
cpe:2.3:a:element-hq:synapse:*:*:*:*:*:*:*:* synapse >= 0 < 1.120.1

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
synapse edge-community 1.120.2-r0 jahway603 <jahway603@protonmail.com> fixed
synapse 3.21-community 1.120.2-r0 jahway603 <jahway603@protonmail.com> fixed