CVE-2023-32323
MEDIUM5.0EPSS 0.14%Synapse Outgoing federation to specific hosts can be disabled by sending malicious invites
發布日:2023/5/24修改日:2026/5/20
描述
Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. A malicious user on a Synapse homeserver X with permission to create certain state events can disable outbound federation from X to an arbitrary homeserver Y. Synapse instances with federation disabled are not affected. In versions of Synapse up to and including 1.73, Synapse did not limit the size of `invite_room_state`, meaning that it was possible to create an arbitrarily large invite event. Synapse 1.74 refuses to create oversized `invite_room_state` fields. Server operators should upgrade to Synapse 1.74 or newer urgently.
受影響套件(3)
- Debian/matrix-synapsefrom 0, < 1.74.0-1
- PyPI/matrix-synapsefrom 0, < 1.74.0
- PyPI/matrix-synapsefrom 0, < 1.74.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L |
| osv | CVSS 3.1 | MEDIUM5.0 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L |
參考連結(8)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-32323
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2023-32323
- PATCHhttps://github.com/matrix-org/synapse
- WEBhttps://github.com/matrix-org/synapse/issues/14492
- WEBhttps://github.com/matrix-org/synapse/pull/14642
- WEBhttps://github.com/matrix-org/synapse/security/advisories/GHSA-f3wc-3vxv-xmvr
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2023-67.yaml
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/UJIJRP5ZH6B3KGFLHCAKR2IX2Y4Z25QD