PT-2023-6464 · Synapse+1 · Synapse+1

Reivilibre

Published

2023-09-26

Updated

2024-06-15

CVE-2023-45129

CVSS v4.0

6.9

Medium

Vector

AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Synapse versions prior to 1.94.0

Description The issue is related to a malicious server ACL event that can impact performance temporarily or permanently, leading to a persistent denial of service. Homeservers running on a closed federation are not affected. The vulnerability is associated with unregulated resource distribution.

Recommendations For Synapse versions prior to 1.94.0, upgrade to Synapse 1.94.0 or later. As a temporary workaround, rooms with malicious server ACL events can be purged and blocked using the admin API.

Exploit

Fix

DoS

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-770

Related Identifiers

ALT-PU-2024-3315

BDU:2023-07183

CVE-2023-45129

GHSA-5CHR-WJW5-3GQ4

OPENSUSE-SU-2024:13320-1

PYSEC-2023-199

Affected Products

Alt Linux

Synapse

PT-2023-6464 · Synapse+1 · Synapse+1

CVE-2023-45129

Weakness Enumeration

Related Identifiers

Affected Products

References · 28