CVE-2023-32323 - OpenCVE

Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. A malicious user on a Synapse homeserver X with permission to create certain state events can disable outbound federation from X to an arbitrary homeserver Y. Synapse instances with federation disabled are not affected. In versions of Synapse up to and including 1.73, Synapse did not limit the size of `invite_room_state`, meaning that it was possible to create an arbitrarily large invite event. Synapse 1.74 refuses to create oversized `invite_room_state` fields. Server operators should upgrade to Synapse 1.74 or newer urgently.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Matrix	Synapse

Configuration 1 [-]

cpe:2.3:a:matrix:synapse:*:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/matrix-org/synapse/issues/14492	Exploit Issue Tracking
https://github.com/matrix-org/synapse/pull/14642	Patch
https://github.com/matrix-org/synapse/security/advisories/GHSA-f3wc-3vxv-xmvr	Mitigation Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJIJRP5ZH6B3KGFLHCAKR2IX2Y4Z25QD/

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-05-26T13:32:01.632Z

Updated: 2023-05-26T13:32:01.632Z

Reserved: 2023-05-08T13:26:03.880Z

Link: CVE-2023-32323

JSON object: View

NVD Information

Status : Modified

Published: 2023-05-26T14:15:10.827

Modified: 2023-09-18T04:15:09.300

Link: CVE-2023-32323

JSON object: View

Redhat Information

No data.

CWE

CWE-20

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-32323", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-05-08T13:26:03.880Z", "datePublished": "2023-05-26T13:32:01.632Z", "dateUpdated": "2023-05-26T13:32:01.632Z"}, "containers": {"cna": {"title": "Synapse Outgoing federation to specific hosts can be disabled by sending malicious invites", "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/matrix-org/synapse/security/advisories/GHSA-f3wc-3vxv-xmvr", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-f3wc-3vxv-xmvr"}, {"name": "https://github.com/matrix-org/synapse/issues/14492", "tags": ["x_refsource_MISC"], "url": "https://github.com/matrix-org/synapse/issues/14492"}, {"name": "https://github.com/matrix-org/synapse/pull/14642", "tags": ["x_refsource_MISC"], "url": "https://github.com/matrix-org/synapse/pull/14642"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJIJRP5ZH6B3KGFLHCAKR2IX2Y4Z25QD/"}], "affected": [{"vendor": "matrix-org", "product": "synapse", "versions": [{"version": "< 1.74.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-05-26T13:32:01.632Z"}, "descriptions": [{"lang": "en", "value": "Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. A malicious user on a Synapse homeserver X with permission to create certain state events can disable outbound federation from X to an arbitrary homeserver Y. Synapse instances with federation disabled are not affected. In versions of Synapse up to and including 1.73, Synapse did not limit the size of `invite_room_state`, meaning that it was possible to create an arbitrarily large invite event. Synapse 1.74 refuses to create oversized `invite_room_state` fields. Server operators should upgrade to Synapse 1.74 or newer urgently.\n\n"}], "source": {"advisory": "GHSA-f3wc-3vxv-xmvr", "discovery": "UNKNOWN"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:matrix:synapse:*:*:*:*:*:*:*:*", "matchCriteriaId": "D7B262AE-3361-41B7-8BF8-D893316A98C4", "versionEndExcluding": "1.74.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. A malicious user on a Synapse homeserver X with permission to create certain state events can disable outbound federation from X to an arbitrary homeserver Y. Synapse instances with federation disabled are not affected. In versions of Synapse up to and including 1.73, Synapse did not limit the size of `invite_room_state`, meaning that it was possible to create an arbitrarily large invite event. Synapse 1.74 refuses to create oversized `invite_room_state` fields. Server operators should upgrade to Synapse 1.74 or newer urgently.\n\n"}, {"lang": "es", "value": "Synapse es un servidor dom\u00e9stico Matrix de c\u00f3digo abierto escrito y mantenido por la Fundaci\u00f3n Matrix.org. Un usuario malicioso en un servidor dom\u00e9stico X de Synapse con permiso para crear ciertos eventos de estado puede deshabilitar la federaci\u00f3n saliente de X a un servidor dom\u00e9stico Y arbitrario. Las instancias de Synapse con la federaci\u00f3n deshabilitada no se ven afectadas. En las versiones de Synapse hasta la 1.73 inclusive, Synapse no limitaba el tama\u00f1o de `invite_room_state`, lo que significa que era posible crear un evento de invitaci\u00f3n arbitrariamente grande. Synapse 1.74 se niega a crear campos `invite_room_state` de gran tama\u00f1o. Los operadores de servidores deben actualizar urgentemente a Synapse 1.74 o posterior."}], "id": "CVE-2023-32323", "lastModified": "2023-09-18T04:15:09.300", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-05-26T14:15:10.827", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Issue Tracking"], "url": "https://github.com/matrix-org/synapse/issues/14492"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/matrix-org/synapse/pull/14642"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-f3wc-3vxv-xmvr"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJIJRP5ZH6B3KGFLHCAKR2IX2Y4Z25QD/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Secondary"}]}