CVE-2024-31208

Description

### Impact A remote Matrix user with malicious intent, sharing a room with Synapse instances before 1.105.1, can dispatch specially crafted events to exploit a weakness in how the auth chain cover index is calculated. This can induce high CPU consumption and accumulate excessive data in the database of such instances, resulting in a denial of service. Servers in private federations, or those that do not federate, are not affected. ### Patches Server administrators should upgrade to 1.105.1 or later. ### Workarounds One can: - ban the malicious users or ACL block servers from the rooms; and/or - leave the room and purge the room using the admin API ### For more information If you have any questions or comments about this advisory, please email us at [security AT element.io](mailto:[email protected]).

Affected packages (3)

• Debian/matrix-synapsefrom 0, < 1.103.0-2
• PyPI/matrix-synapsefrom 0, < 1.105.1
• PyPI/matrix-synapsefrom 0, < 55b0aa847a61774b6a3acdc4b177a20dc019f01a | from 0, < 1.105.1

CVSS scores

References (10)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-31208
• ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2024-31208
• PATCHhttps://github.com/element-hq/synapse
• WEBhttps://github.com/element-hq/synapse/commit/55b0aa847a61774b6a3acdc4b177a20dc019f01a
• WEBhttps://github.com/element-hq/synapse/releases/tag/v1.105.1
• WEBhttps://github.com/element-hq/synapse/security/advisories/GHSA-3h7q-rfh9-xm4v
• WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2024-50.yaml
• WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/R6FCCO4ODTZ3FDS7TMW76PKOSEL2TQVB
• WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/RR53FNHV446CB37TP45GZ6F6HZLZCK3K
• WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/VSF4NJJSTSQRJQ47PLYYSCFYKJBP7DET