cvelistv5 - CVE-2023-32323

CVE-2023-32323 (GCVE-0-2023-32323)

Vulnerability from cvelistv5 – Published: 2023-05-26 13:32 – Updated: 2025-02-13 16:50

Summary

Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. A malicious user on a Synapse homeserver X with permission to create certain state events can disable outbound federation from X to an arbitrary homeserver Y. Synapse instances with federation disabled are not affected. In versions of Synapse up to and including 1.73, Synapse did not limit the size of `invite_room_state`, meaning that it was possible to create an arbitrarily large invite event. Synapse 1.74 refuses to create oversized `invite_room_state` fields. Server operators should upgrade to Synapse 1.74 or newer urgently.

Severity ?

5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L

CWE

CWE-20 - Improper Input Validation

Assigner

GitHub_M

References

URL

Tags

	https://github.com/matrix-org/synapse/security/ad…	x_refsource_CONFIRM
	https://github.com/matrix-org/synapse/issues/14492	x_refsource_MISC
	https://github.com/matrix-org/synapse/pull/14642	x_refsource_MISC
	https://lists.fedoraproject.org/archives/list/pac…

Impacted products

	Vendor	Product	Version
	matrix-org	synapse	Affected: < 1.74.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T15:10:24.899Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/matrix-org/synapse/security/advisories/GHSA-f3wc-3vxv-xmvr",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-f3wc-3vxv-xmvr"
          },
          {
            "name": "https://github.com/matrix-org/synapse/issues/14492",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/matrix-org/synapse/issues/14492"
          },
          {
            "name": "https://github.com/matrix-org/synapse/pull/14642",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/matrix-org/synapse/pull/14642"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJIJRP5ZH6B3KGFLHCAKR2IX2Y4Z25QD/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-32323",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-14T20:00:17.125564Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-14T20:00:25.608Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "synapse",
          "vendor": "matrix-org",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.74.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. A malicious user on a Synapse homeserver X with permission to create certain state events can disable outbound federation from X to an arbitrary homeserver Y. Synapse instances with federation disabled are not affected. In versions of Synapse up to and including 1.73, Synapse did not limit the size of `invite_room_state`, meaning that it was possible to create an arbitrarily large invite event. Synapse 1.74 refuses to create oversized `invite_room_state` fields. Server operators should upgrade to Synapse 1.74 or newer urgently."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20: Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-09-18T03:06:07.780Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/matrix-org/synapse/security/advisories/GHSA-f3wc-3vxv-xmvr",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-f3wc-3vxv-xmvr"
        },
        {
          "name": "https://github.com/matrix-org/synapse/issues/14492",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/matrix-org/synapse/issues/14492"
        },
        {
          "name": "https://github.com/matrix-org/synapse/pull/14642",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/matrix-org/synapse/pull/14642"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJIJRP5ZH6B3KGFLHCAKR2IX2Y4Z25QD/"
        }
      ],
      "source": {
        "advisory": "GHSA-f3wc-3vxv-xmvr",
        "discovery": "UNKNOWN"
      },
      "title": "Synapse Outgoing federation to specific hosts can be disabled by sending malicious invites"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-32323",
    "datePublished": "2023-05-26T13:32:01.632Z",
    "dateReserved": "2023-05-08T13:26:03.880Z",
    "dateUpdated": "2025-02-13T16:50:32.310Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:matrix:synapse:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"1.74.0\", \"matchCriteriaId\": \"D7B262AE-3361-41B7-8BF8-D893316A98C4\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. A malicious user on a Synapse homeserver X with permission to create certain state events can disable outbound federation from X to an arbitrary homeserver Y. Synapse instances with federation disabled are not affected. In versions of Synapse up to and including 1.73, Synapse did not limit the size of `invite_room_state`, meaning that it was possible to create an arbitrarily large invite event. Synapse 1.74 refuses to create oversized `invite_room_state` fields. Server operators should upgrade to Synapse 1.74 or newer urgently.\\n\\n\"}, {\"lang\": \"es\", \"value\": \"Synapse es un servidor dom\\u00e9stico Matrix de c\\u00f3digo abierto escrito y mantenido por la Fundaci\\u00f3n Matrix.org. Un usuario malicioso en un servidor dom\\u00e9stico X de Synapse con permiso para crear ciertos eventos de estado puede deshabilitar la federaci\\u00f3n saliente de X a un servidor dom\\u00e9stico Y arbitrario. Las instancias de Synapse con la federaci\\u00f3n deshabilitada no se ven afectadas. En las versiones de Synapse hasta la 1.73 inclusive, Synapse no limitaba el tama\\u00f1o de `invite_room_state`, lo que significa que era posible crear un evento de invitaci\\u00f3n arbitrariamente grande. Synapse 1.74 se niega a crear campos `invite_room_state` de gran tama\\u00f1o. Los operadores de servidores deben actualizar urgentemente a Synapse 1.74 o posterior.\"}]",
      "id": "CVE-2023-32323",
      "lastModified": "2024-11-21T08:03:06.813",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L\", \"baseScore\": 5.0, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"LOW\"}, \"exploitabilityScore\": 3.1, \"impactScore\": 1.4}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L\", \"baseScore\": 4.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"LOW\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 1.4}]}",
      "published": "2023-05-26T14:15:10.827",
      "references": "[{\"url\": \"https://github.com/matrix-org/synapse/issues/14492\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Exploit\", \"Issue Tracking\"]}, {\"url\": \"https://github.com/matrix-org/synapse/pull/14642\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/matrix-org/synapse/security/advisories/GHSA-f3wc-3vxv-xmvr\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Mitigation\", \"Vendor Advisory\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJIJRP5ZH6B3KGFLHCAKR2IX2Y4Z25QD/\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/matrix-org/synapse/issues/14492\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Issue Tracking\"]}, {\"url\": \"https://github.com/matrix-org/synapse/pull/14642\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/matrix-org/synapse/security/advisories/GHSA-f3wc-3vxv-xmvr\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mitigation\", \"Vendor Advisory\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJIJRP5ZH6B3KGFLHCAKR2IX2Y4Z25QD/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-20\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-20\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-32323\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-05-26T14:15:10.827\",\"lastModified\":\"2025-02-13T17:16:30.267\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. A malicious user on a Synapse homeserver X with permission to create certain state events can disable outbound federation from X to an arbitrary homeserver Y. Synapse instances with federation disabled are not affected. In versions of Synapse up to and including 1.73, Synapse did not limit the size of `invite_room_state`, meaning that it was possible to create an arbitrarily large invite event. Synapse 1.74 refuses to create oversized `invite_room_state` fields. Server operators should upgrade to Synapse 1.74 or newer urgently.\"},{\"lang\":\"es\",\"value\":\"Synapse es un servidor dom\u00e9stico Matrix de c\u00f3digo abierto escrito y mantenido por la Fundaci\u00f3n Matrix.org. Un usuario malicioso en un servidor dom\u00e9stico X de Synapse con permiso para crear ciertos eventos de estado puede deshabilitar la federaci\u00f3n saliente de X a un servidor dom\u00e9stico Y arbitrario. Las instancias de Synapse con la federaci\u00f3n deshabilitada no se ven afectadas. En las versiones de Synapse hasta la 1.73 inclusive, Synapse no limitaba el tama\u00f1o de `invite_room_state`, lo que significa que era posible crear un evento de invitaci\u00f3n arbitrariamente grande. Synapse 1.74 se niega a crear campos `invite_room_state` de gran tama\u00f1o. Los operadores de servidores deben actualizar urgentemente a Synapse 1.74 o posterior.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L\",\"baseScore\":5.0,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.1,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:matrix:synapse:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.74.0\",\"matchCriteriaId\":\"D7B262AE-3361-41B7-8BF8-D893316A98C4\"}]}]}],\"references\":[{\"url\":\"https://github.com/matrix-org/synapse/issues/14492\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Issue Tracking\"]},{\"url\":\"https://github.com/matrix-org/synapse/pull/14642\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/matrix-org/synapse/security/advisories/GHSA-f3wc-3vxv-xmvr\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJIJRP5ZH6B3KGFLHCAKR2IX2Y4Z25QD/\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/matrix-org/synapse/issues/14492\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Issue Tracking\"]},{\"url\":\"https://github.com/matrix-org/synapse/pull/14642\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/matrix-org/synapse/security/advisories/GHSA-f3wc-3vxv-xmvr\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJIJRP5ZH6B3KGFLHCAKR2IX2Y4Z25QD/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/matrix-org/synapse/security/advisories/GHSA-f3wc-3vxv-xmvr\", \"name\": \"https://github.com/matrix-org/synapse/security/advisories/GHSA-f3wc-3vxv-xmvr\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/matrix-org/synapse/issues/14492\", \"name\": \"https://github.com/matrix-org/synapse/issues/14492\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/matrix-org/synapse/pull/14642\", \"name\": \"https://github.com/matrix-org/synapse/pull/14642\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJIJRP5ZH6B3KGFLHCAKR2IX2Y4Z25QD/\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T15:10:24.899Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-32323\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-01-14T20:00:17.125564Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-01-14T20:00:21.614Z\"}}], \"cna\": {\"title\": \"Synapse Outgoing federation to specific hosts can be disabled by sending malicious invites\", \"source\": {\"advisory\": \"GHSA-f3wc-3vxv-xmvr\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"matrix-org\", \"product\": \"synapse\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.74.0\"}]}], \"references\": [{\"url\": \"https://github.com/matrix-org/synapse/security/advisories/GHSA-f3wc-3vxv-xmvr\", \"name\": \"https://github.com/matrix-org/synapse/security/advisories/GHSA-f3wc-3vxv-xmvr\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/matrix-org/synapse/issues/14492\", \"name\": \"https://github.com/matrix-org/synapse/issues/14492\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/matrix-org/synapse/pull/14642\", \"name\": \"https://github.com/matrix-org/synapse/pull/14642\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJIJRP5ZH6B3KGFLHCAKR2IX2Y4Z25QD/\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. A malicious user on a Synapse homeserver X with permission to create certain state events can disable outbound federation from X to an arbitrary homeserver Y. Synapse instances with federation disabled are not affected. In versions of Synapse up to and including 1.73, Synapse did not limit the size of `invite_room_state`, meaning that it was possible to create an arbitrarily large invite event. Synapse 1.74 refuses to create oversized `invite_room_state` fields. Server operators should upgrade to Synapse 1.74 or newer urgently.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-20\", \"description\": \"CWE-20: Improper Input Validation\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2023-09-18T03:06:07.780Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-32323\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-02-13T16:50:32.310Z\", \"dateReserved\": \"2023-05-08T13:26:03.880Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2023-05-26T13:32:01.632Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

PYSEC-2023-67

Vulnerability from pysec - Published: 2023-05-26 14:15 - Updated: 2023-06-05 01:12

Details

Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. A malicious user on a Synapse homeserver X with permission to create certain state events can disable outbound federation from X to an arbitrary homeserver Y. Synapse instances with federation disabled are not affected. In versions of Synapse up to and including 1.73, Synapse did not limit the size of invite_room_state, meaning that it was possible to create an arbitrarily large invite event. Synapse 1.74 refuses to create oversized invite_room_state fields. Server operators should upgrade to Synapse 1.74 or newer urgently.

Impacted products

Name	purl
matrix-synapse	pkg:pypi/matrix-synapse

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "matrix-synapse",
        "purl": "pkg:pypi/matrix-synapse"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.74.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.33.5",
        "0.33.5.1",
        "0.33.6",
        "0.33.6rc1",
        "0.33.7",
        "0.33.7rc1",
        "0.33.7rc2",
        "0.33.8",
        "0.33.8rc2",
        "0.33.9",
        "0.34.0",
        "0.34.0.1",
        "0.34.0rc1",
        "0.34.0rc2",
        "0.34.1.1",
        "0.99.0",
        "0.99.0rc1",
        "0.99.0rc2",
        "0.99.0rc3",
        "0.99.0rc4",
        "0.99.1",
        "0.99.1.1",
        "0.99.1rc1",
        "0.99.1rc2",
        "0.99.2",
        "0.99.2rc1",
        "0.99.3",
        "0.99.3.1",
        "0.99.3.2",
        "0.99.3rc1",
        "0.99.4",
        "0.99.4rc1",
        "0.99.5",
        "0.99.5.1",
        "0.99.5.2",
        "0.99.5rc1",
        "1.0.0",
        "1.0.0rc1",
        "1.0.0rc2",
        "1.0.0rc3",
        "1.1.0",
        "1.1.0rc1",
        "1.1.0rc2",
        "1.10.0",
        "1.10.0rc1",
        "1.10.0rc2",
        "1.10.0rc3",
        "1.10.0rc5",
        "1.10.1",
        "1.11.0",
        "1.11.0rc1",
        "1.11.1",
        "1.12.0",
        "1.12.0rc1",
        "1.12.1",
        "1.12.1rc1",
        "1.12.2",
        "1.12.3",
        "1.12.4",
        "1.12.4rc1",
        "1.13.0",
        "1.13.0rc1",
        "1.13.0rc2",
        "1.13.0rc3",
        "1.14.0",
        "1.14.0rc1",
        "1.14.0rc2",
        "1.15.0",
        "1.15.0rc1",
        "1.15.1",
        "1.15.2",
        "1.16.0",
        "1.16.0rc1",
        "1.16.0rc2",
        "1.16.1",
        "1.17.0",
        "1.17.0rc1",
        "1.18.0",
        "1.18.0rc1",
        "1.18.0rc2",
        "1.19.0",
        "1.19.0rc1",
        "1.19.1",
        "1.19.1rc1",
        "1.19.2",
        "1.19.3",
        "1.2.0",
        "1.2.0rc1",
        "1.2.0rc2",
        "1.2.1",
        "1.20.0",
        "1.20.0rc1",
        "1.20.0rc2",
        "1.20.0rc3",
        "1.20.0rc4",
        "1.20.0rc5",
        "1.20.1",
        "1.21.0",
        "1.21.0rc1",
        "1.21.0rc2",
        "1.21.0rc3",
        "1.21.1",
        "1.21.2",
        "1.22.0",
        "1.22.0rc1",
        "1.22.0rc2",
        "1.22.1",
        "1.23.0",
        "1.23.0rc1",
        "1.23.1",
        "1.24.0",
        "1.24.0rc1",
        "1.24.0rc2",
        "1.25.0",
        "1.25.0rc1",
        "1.26.0",
        "1.26.0rc1",
        "1.26.0rc2",
        "1.27.0",
        "1.27.0rc1",
        "1.27.0rc2",
        "1.28.0",
        "1.28.0rc1",
        "1.29.0",
        "1.29.0rc1",
        "1.3.0",
        "1.3.0rc1",
        "1.3.1",
        "1.30.0",
        "1.30.0rc1",
        "1.30.1",
        "1.31.0",
        "1.31.0rc1",
        "1.32.0",
        "1.32.0rc1",
        "1.32.1",
        "1.32.2",
        "1.33.0",
        "1.33.0rc1",
        "1.33.0rc2",
        "1.33.1",
        "1.33.2",
        "1.34.0",
        "1.34.0rc1",
        "1.35.0",
        "1.35.0rc1",
        "1.35.0rc2",
        "1.35.0rc3",
        "1.35.1",
        "1.36.0",
        "1.36.0rc1",
        "1.36.0rc2",
        "1.37.0",
        "1.37.0rc1",
        "1.37.1",
        "1.37.1rc1",
        "1.38.0",
        "1.38.0rc1",
        "1.38.0rc2",
        "1.38.0rc3",
        "1.38.1",
        "1.39.0",
        "1.39.0rc1",
        "1.39.0rc2",
        "1.39.0rc3",
        "1.4.0",
        "1.4.0rc1",
        "1.4.0rc2",
        "1.4.1",
        "1.4.1rc1",
        "1.40.0",
        "1.40.0rc1",
        "1.40.0rc2",
        "1.40.0rc3",
        "1.41.0",
        "1.41.0rc1",
        "1.41.1",
        "1.42.0",
        "1.42.0rc1",
        "1.42.0rc2",
        "1.43.0",
        "1.43.0rc1",
        "1.43.0rc2",
        "1.44.0",
        "1.44.0rc1",
        "1.44.0rc2",
        "1.44.0rc3",
        "1.45.0",
        "1.45.0rc1",
        "1.45.0rc2",
        "1.45.1",
        "1.46.0",
        "1.46.0rc1",
        "1.47.0",
        "1.47.0rc1",
        "1.47.0rc2",
        "1.47.0rc3",
        "1.47.1",
        "1.48.0",
        "1.48.0rc1",
        "1.49.0",
        "1.49.0rc1",
        "1.49.2",
        "1.5.0",
        "1.5.0rc1",
        "1.5.0rc2",
        "1.5.1",
        "1.50.0",
        "1.50.0rc1",
        "1.50.0rc2",
        "1.50.1",
        "1.50.2",
        "1.51.0",
        "1.51.0rc1",
        "1.51.0rc2",
        "1.52.0",
        "1.52.0rc1",
        "1.53.0",
        "1.53.0rc1",
        "1.54.0",
        "1.54.0rc1",
        "1.55.0",
        "1.55.0rc1",
        "1.55.1",
        "1.55.2",
        "1.56.0",
        "1.56.0rc1",
        "1.57.0",
        "1.57.0rc1",
        "1.57.1",
        "1.58.0",
        "1.58.0rc2",
        "1.58.1",
        "1.59.0",
        "1.59.0rc1",
        "1.59.0rc2",
        "1.59.1",
        "1.6.0",
        "1.6.0rc1",
        "1.6.0rc2",
        "1.6.1",
        "1.60.0",
        "1.60.0rc1",
        "1.60.0rc2",
        "1.61.0",
        "1.61.0rc1",
        "1.61.1",
        "1.62.0",
        "1.62.0rc1",
        "1.62.0rc2",
        "1.62.0rc3",
        "1.63.0",
        "1.63.0rc1",
        "1.63.1",
        "1.64.0",
        "1.64.0rc1",
        "1.64.0rc2",
        "1.65.0",
        "1.65.0rc1",
        "1.65.0rc2",
        "1.66.0",
        "1.66.0rc1",
        "1.66.0rc2",
        "1.67.0",
        "1.67.0rc1",
        "1.68.0",
        "1.68.0rc1",
        "1.68.0rc2",
        "1.69.0",
        "1.69.0rc1",
        "1.69.0rc2",
        "1.69.0rc4",
        "1.7.0",
        "1.7.0rc1",
        "1.7.0rc2",
        "1.7.1",
        "1.7.2",
        "1.7.3",
        "1.70.0",
        "1.70.0rc1",
        "1.70.0rc2",
        "1.70.1",
        "1.71.0",
        "1.71.0rc1",
        "1.71.0rc2",
        "1.72.0",
        "1.72.0rc1",
        "1.73.0",
        "1.73.0rc2",
        "1.74.0rc1",
        "1.8.0",
        "1.8.0rc1",
        "1.9.0",
        "1.9.0.dev1",
        "1.9.0.dev2",
        "1.9.0rc1",
        "1.9.1"
      ]
    }
  ],
  "aliases": [
    "CVE-2023-32323",
    "GHSA-f3wc-3vxv-xmvr"
  ],
  "details": "Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. A malicious user on a Synapse homeserver X with permission to create certain state events can disable outbound federation from X to an arbitrary homeserver Y. Synapse instances with federation disabled are not affected. In versions of Synapse up to and including 1.73, Synapse did not limit the size of `invite_room_state`, meaning that it was possible to create an arbitrarily large invite event. Synapse 1.74 refuses to create oversized `invite_room_state` fields. Server operators should upgrade to Synapse 1.74 or newer urgently.\n\n",
  "id": "PYSEC-2023-67",
  "modified": "2023-06-05T01:12:54.808327Z",
  "published": "2023-05-26T14:15:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-f3wc-3vxv-xmvr"
    },
    {
      "type": "FIX",
      "url": "https://github.com/matrix-org/synapse/pull/14642"
    },
    {
      "type": "EVIDENCE",
      "url": "https://github.com/matrix-org/synapse/issues/14492"
    },
    {
      "type": "REPORT",
      "url": "https://github.com/matrix-org/synapse/issues/14492"
    }
  ]
}

GHSA-F3WC-3VXV-XMVR

Vulnerability from github – Published: 2023-05-24 17:28 – Updated: 2025-02-13 18:54

Summary

Synapse Outgoing federation to specific hosts can be disabled by sending malicious invites

Details

Impact

A malicious user on a Synapse homeserver X with permission to create certain state events can disable outbound federation from X to an arbitrary homeserver Y.

Synapse instances with federation disabled are not affected.

Details

The Matrix protocol allows homeservers to provide an invite_room_state field on a room invite containing a summary of room state. In versions of Synapse up to and including v1.73.0, Synapse did not limit the size of invite_room_state, meaning that it was possible to create an arbitrarily large invite event.

An attacker with an account on a vulnerable Synapse homeserver X could exploit this by having X create an over-sized invite event in a room with a user from another homeserver Y. Once acknowledged by the invitee's homeserver, the invite event would be sent in a batch of events to Y. If the malicious invite is so large that the entire batch is rejected as too large, X's outgoing traffic to Y would become "stuck", meaning that messages and state events created by X would remain unseen by Y.

Patches

Synapse 1.74 refuses to create oversized invite_room_state fields. Server operators should upgrade to Synapse 1.74 or newer urgently.

Workarounds

There are no robust workarounds.

This attack needs an account on Synapse homeserver X to deny federation from X to another homeserver Y. As a partial mitigation, Synapse operators can disable open registration to limit the ability of attackers to create new accounts on homeserver X.

If homeserver X has been attacked in this way, restarting it will resume outgoing federation by entering "catchup mode". For catchup mode to ignore the oversized invites, every attacked room must have a correctly-sized event sent by X which is newer than any oversized invite. This is difficult to arrange, and does not prevent the attacker from repeating their attack.

References

https://github.com/matrix-org/synapse/issues/14492 was caused by this issue.
https://github.com/matrix-org/synapse/issues/14642 includes the patch described above.

For more information

If you have any questions or comments about this advisory, e-mail us at security@matrix.org.

Severity ?

5.0 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L

5.3 (Medium)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "matrix-synapse"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.74.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-32323"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-05-24T17:28:26Z",
    "nvd_published_at": "2023-05-26T14:15:10Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nA malicious user on a Synapse homeserver X with permission to create certain state events can disable outbound federation from X to an arbitrary homeserver Y.\n\nSynapse instances with federation disabled are not affected.\n\n#### Details\n\nThe Matrix protocol allows homeservers to provide an `invite_room_state` field on a [room invite](https://spec.matrix.org/v1.5/client-server-api/#mroommember) containing a [summary of room state](https://spec.matrix.org/v1.5/client-server-api/#stripped-state).  In versions of Synapse up to and including v1.73.0, Synapse did not limit the size of `invite_room_state`, meaning that it was possible to create an arbitrarily large invite event.\n\nAn attacker with an account on a vulnerable Synapse homeserver X could exploit this by having X create an over-sized invite event in a room with a user from another homeserver Y. Once acknowledged by the invitee\u0027s homeserver, the invite event would be sent in a batch of events to Y. If the malicious invite is so large that the entire batch is rejected as too large, X\u0027s outgoing traffic to Y would become \"stuck\", meaning that messages and state events created by X would remain unseen by Y.\n\n### Patches\n\nSynapse 1.74 refuses to create oversized `invite_room_state` fields. Server operators should upgrade to Synapse 1.74 or newer urgently.\n\n### Workarounds\n\nThere are no robust workarounds.\n\nThis attack needs an account on Synapse homeserver X to deny federation from X to another homeserver Y. As a partial mitigation, Synapse operators can disable open registration to limit the ability of attackers to create new accounts on homeserver X.\n\nIf homeserver X has been attacked in this way, restarting it will resume outgoing federation by entering \"catchup mode\". For catchup mode to ignore the oversized invites, every attacked room must have a correctly-sized event sent by X which is newer than any oversized invite. This is difficult to arrange, and does not prevent the attacker from repeating their attack.\n\n### References\n\n- https://github.com/matrix-org/synapse/issues/14492 was caused by this issue.\n- https://github.com/matrix-org/synapse/issues/14642  includes the patch described above.\n\n### For more information\n\nIf you have any questions or comments about this advisory, e-mail us at [security@matrix.org](mailto:security@matrix.org).",
  "id": "GHSA-f3wc-3vxv-xmvr",
  "modified": "2025-02-13T18:54:39Z",
  "published": "2023-05-24T17:28:26Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-f3wc-3vxv-xmvr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32323"
    },
    {
      "type": "WEB",
      "url": "https://github.com/matrix-org/synapse/issues/14492"
    },
    {
      "type": "WEB",
      "url": "https://github.com/matrix-org/synapse/pull/14642"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/matrix-org/synapse"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2023-67.yaml"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJIJRP5ZH6B3KGFLHCAKR2IX2Y4Z25QD"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Synapse Outgoing federation to specific hosts can be disabled by sending malicious invites"
}

GSD-2023-32323

Vulnerability from gsd - Updated: 2023-12-13 01:20

Details

Aliases

CVE-2023-32323

Aliases

CVE-2023-32323

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-32323",
    "id": "GSD-2023-32323"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-32323"
      ],
      "details": "Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. A malicious user on a Synapse homeserver X with permission to create certain state events can disable outbound federation from X to an arbitrary homeserver Y. Synapse instances with federation disabled are not affected. In versions of Synapse up to and including 1.73, Synapse did not limit the size of `invite_room_state`, meaning that it was possible to create an arbitrarily large invite event. Synapse 1.74 refuses to create oversized `invite_room_state` fields. Server operators should upgrade to Synapse 1.74 or newer urgently.\n\n",
      "id": "GSD-2023-32323",
      "modified": "2023-12-13T01:20:23.408951Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2023-32323",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "synapse",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003c 1.74.0"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "matrix-org"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. A malicious user on a Synapse homeserver X with permission to create certain state events can disable outbound federation from X to an arbitrary homeserver Y. Synapse instances with federation disabled are not affected. In versions of Synapse up to and including 1.73, Synapse did not limit the size of `invite_room_state`, meaning that it was possible to create an arbitrarily large invite event. Synapse 1.74 refuses to create oversized `invite_room_state` fields. Server operators should upgrade to Synapse 1.74 or newer urgently.\n\n"
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-20",
                "lang": "eng",
                "value": "CWE-20: Improper Input Validation"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/matrix-org/synapse/security/advisories/GHSA-f3wc-3vxv-xmvr",
            "refsource": "MISC",
            "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-f3wc-3vxv-xmvr"
          },
          {
            "name": "https://github.com/matrix-org/synapse/issues/14492",
            "refsource": "MISC",
            "url": "https://github.com/matrix-org/synapse/issues/14492"
          },
          {
            "name": "https://github.com/matrix-org/synapse/pull/14642",
            "refsource": "MISC",
            "url": "https://github.com/matrix-org/synapse/pull/14642"
          },
          {
            "name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJIJRP5ZH6B3KGFLHCAKR2IX2Y4Z25QD/",
            "refsource": "MISC",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJIJRP5ZH6B3KGFLHCAKR2IX2Y4Z25QD/"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-f3wc-3vxv-xmvr",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c1.74.0",
          "affected_versions": "All versions before 1.74.0",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
          "cwe_ids": [
            "CWE-1035",
            "CWE-20",
            "CWE-937"
          ],
          "date": "2023-06-02",
          "description": "### Impact\n\nA malicious user on a Synapse homeserver X with permission to create certain state events can disable outbound federation from X to an arbitrary homeserver Y.\n\nSynapse instances with federation disabled are not affected.\n\n#### Details\n\nThe Matrix protocol allows homeservers to provide an `invite_room_state` field on a [room invite](https://spec.matrix.org/v1.5/client-server-api/#mroommember) containing a [summary of room state](https://spec.matrix.org/v1.5/client-server-api/#stripped-state). In versions of Synapse up to and including v1.73.0, Synapse does not limit the size of `invite_room_state`, meaning that it was possible to create an arbitrarily large invite event.\n\nAn attacker with an account on a vulnerable Synapse homeserver X could exploit this by having X create an over-sized invite event in a room with a user from another homeserver Y. Once acknowledged by the invitee\u0027s homeserver, the invite event would be sent in a batch of events to Y. If the malicious invite is so large that the entire batch is rejected as too large, X\u0027s outgoing traffic to Y would become \"stuck\", meaning that messages and state events created by X would remain unseen by Y.\n\n### Patches\n\nSynapse 1.74 refuses to create oversized `invite_room_state` fields. Server operators should upgrade to Synapse 1.74 or newer urgently.\n\n### Workarounds\n\nThere are no robust workarounds.\n\nThis attack needs an account on Synapse homeserver X to deny federation from X to another homeserver Y. As a partial mitigation, Synapse operators can disable open registration to limit the ability of attackers to create new accounts on homeserver X.\n\nIf homeserver X has been attacked in this way, restarting it will resume outgoing federation by entering \"catchup mode\". For catchup mode to ignore the oversized invites, every attacked room must have a correctly-sized event sent by X which is newer than any oversized invite. This is difficult to arrange, and does not prevent the attacker from repeating their attack.\n\n### References\n\n- https://github.com/matrix-org/synapse/issues/14492 was caused by this issue.\n- https://github.com/matrix-org/synapse/issues/14642 includes the patch described above.\n\n### For more information\n\nIf you have any questions or comments about this advisory, e-mail us at [security@matrix.org](mailto:security@matrix.org).",
          "fixed_versions": [
            "1.74.0"
          ],
          "identifier": "CVE-2023-32323",
          "identifiers": [
            "CVE-2023-32323",
            "GHSA-f3wc-3vxv-xmvr"
          ],
          "not_impacted": "All versions starting from 1.74.0",
          "package_slug": "pypi/matrix-synapse",
          "pubdate": "2023-05-26",
          "solution": "Upgrade to version 1.74.0 or above.",
          "title": "Synapse Outgoing federation to specific hosts can be disabled by sending malicious invites",
          "urls": [
            "https://github.com/matrix-org/synapse/security/advisories/GHSA-f3wc-3vxv-xmvr",
            "https://github.com/matrix-org/synapse/issues/14492",
            "https://github.com/matrix-org/synapse/pull/14642",
            "https://github.com/advisories/GHSA-f3wc-3vxv-xmvr"
          ],
          "uuid": "8396c4f6-65a5-4f05-b04a-d5fe94312bf8"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:matrix:synapse:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "1.74.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2023-32323"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. A malicious user on a Synapse homeserver X with permission to create certain state events can disable outbound federation from X to an arbitrary homeserver Y. Synapse instances with federation disabled are not affected. In versions of Synapse up to and including 1.73, Synapse did not limit the size of `invite_room_state`, meaning that it was possible to create an arbitrarily large invite event. Synapse 1.74 refuses to create oversized `invite_room_state` fields. Server operators should upgrade to Synapse 1.74 or newer urgently.\n\n"
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-20"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/matrix-org/synapse/security/advisories/GHSA-f3wc-3vxv-xmvr",
              "refsource": "MISC",
              "tags": [
                "Mitigation",
                "Vendor Advisory"
              ],
              "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-f3wc-3vxv-xmvr"
            },
            {
              "name": "https://github.com/matrix-org/synapse/pull/14642",
              "refsource": "MISC",
              "tags": [
                "Patch"
              ],
              "url": "https://github.com/matrix-org/synapse/pull/14642"
            },
            {
              "name": "https://github.com/matrix-org/synapse/issues/14492",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Issue Tracking"
              ],
              "url": "https://github.com/matrix-org/synapse/issues/14492"
            },
            {
              "name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJIJRP5ZH6B3KGFLHCAKR2IX2Y4Z25QD/",
              "refsource": "MISC",
              "tags": [],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJIJRP5ZH6B3KGFLHCAKR2IX2Y4Z25QD/"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 1.4
        }
      },
      "lastModifiedDate": "2023-09-18T04:15Z",
      "publishedDate": "2023-05-26T14:15Z"
    }
  }
}

FKIE_CVE-2023-32323

Vulnerability from fkie_nvd - Published: 2023-05-26 14:15 - Updated: 2025-02-13 17:16

Severity ?

5.0 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/matrix-org/synapse/issues/14492	Exploit, Issue Tracking
security-advisories@github.com	https://github.com/matrix-org/synapse/pull/14642	Patch
security-advisories@github.com	https://github.com/matrix-org/synapse/security/advisories/GHSA-f3wc-3vxv-xmvr	Mitigation, Vendor Advisory
security-advisories@github.com	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJIJRP5ZH6B3KGFLHCAKR2IX2Y4Z25QD/
af854a3a-2127-422b-91ae-364da2661108	https://github.com/matrix-org/synapse/issues/14492	Exploit, Issue Tracking
af854a3a-2127-422b-91ae-364da2661108	https://github.com/matrix-org/synapse/pull/14642	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/matrix-org/synapse/security/advisories/GHSA-f3wc-3vxv-xmvr	Mitigation, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJIJRP5ZH6B3KGFLHCAKR2IX2Y4Z25QD/

Impacted products

	Vendor	Product	Version
	matrix	synapse	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:matrix:synapse:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "D7B262AE-3361-41B7-8BF8-D893316A98C4",
              "versionEndExcluding": "1.74.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. A malicious user on a Synapse homeserver X with permission to create certain state events can disable outbound federation from X to an arbitrary homeserver Y. Synapse instances with federation disabled are not affected. In versions of Synapse up to and including 1.73, Synapse did not limit the size of `invite_room_state`, meaning that it was possible to create an arbitrarily large invite event. Synapse 1.74 refuses to create oversized `invite_room_state` fields. Server operators should upgrade to Synapse 1.74 or newer urgently."
    },
    {
      "lang": "es",
      "value": "Synapse es un servidor dom\u00e9stico Matrix de c\u00f3digo abierto escrito y mantenido por la Fundaci\u00f3n Matrix.org. Un usuario malicioso en un servidor dom\u00e9stico X de Synapse con permiso para crear ciertos eventos de estado puede deshabilitar la federaci\u00f3n saliente de X a un servidor dom\u00e9stico Y arbitrario. Las instancias de Synapse con la federaci\u00f3n deshabilitada no se ven afectadas. En las versiones de Synapse hasta la 1.73 inclusive, Synapse no limitaba el tama\u00f1o de `invite_room_state`, lo que significa que era posible crear un evento de invitaci\u00f3n arbitrariamente grande. Synapse 1.74 se niega a crear campos `invite_room_state` de gran tama\u00f1o. Los operadores de servidores deben actualizar urgentemente a Synapse 1.74 o posterior."
    }
  ],
  "id": "CVE-2023-32323",
  "lastModified": "2025-02-13T17:16:30.267",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 5.0,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 3.1,
        "impactScore": 1.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 4.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-05-26T14:15:10.827",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Issue Tracking"
      ],
      "url": "https://github.com/matrix-org/synapse/issues/14492"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/matrix-org/synapse/pull/14642"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-f3wc-3vxv-xmvr"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJIJRP5ZH6B3KGFLHCAKR2IX2Y4Z25QD/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Issue Tracking"
      ],
      "url": "https://github.com/matrix-org/synapse/issues/14492"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/matrix-org/synapse/pull/14642"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-f3wc-3vxv-xmvr"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJIJRP5ZH6B3KGFLHCAKR2IX2Y4Z25QD/"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-20"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-20"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2023-32323 (GCVE-0-2023-32323)

PYSEC-2023-67

GHSA-F3WC-3VXV-XMVR

Impact

Details

Patches

Workarounds

References

For more information

GSD-2023-32323

FKIE_CVE-2023-32323

Tags

Sightings

Nomenclature