CVE-2023-32323
Summary
| CVE | CVE-2023-32323 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2023-05-26 14:15:00 UTC |
| Updated | 2023-09-18 04:15:00 UTC |
| Description | Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. A malicious user on a Synapse homeserver X with permission to create certain state events can disable outbound federation from X to an arbitrary homeserver Y. Synapse instances with federation disabled are not affected. In versions of Synapse up to and including 1.73, Synapse did not limit the size of `invite_room_state`, meaning that it was possible to create an arbitrarily large invite event. Synapse 1.74 refuses to create oversized `invite_room_state` fields. Server operators should upgrade to Synapse 1.74 or newer urgently. |
Risk And Classification
Problem Types: CWE-20
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| [SECURITY] Fedora 37 Update: python-matrix-common-1.3.0-7.fc37 - package-announce - Fedora Mailing-Lists | MISC | lists.fedoraproject.org | |
| Outgoing federation to specific hosts can be disabled by sending malicious invites · Advisory · matrix-org/synapse · GitHub | MISC | github.com | |
| Federation was broken between my homeserver and matrix.org (and I fixed it with this patch) · Issue #14492 · matrix-org/synapse · GitHub | MISC | github.com | |
| Allow selecting "prejoin" events by state keys by DMRobertson · Pull Request #14642 · matrix-org/synapse · GitHub | MISC | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.