Synapse allows a a malformed invite to break the invitee's `/sync`

GHSA-f3r3-h2mq-hx2h · CVE-2024-52815

Published Dec 3, 2024 · Modified Dec 3, 2024

Description

Impact

Synapse versions before 1.120.1 fail to properly validate invites received over federation. This vulnerability allows a malicious server to send a specially crafted invite that disrupts the invited user's /sync functionality.

Patches

Synapse 1.120.1 rejects such invalid invites received over federation and restores the ability to sync for affected users.

Workarounds

Server administrators can disable federation from untrusted servers.

For more information

If you have any questions or comments about this advisory, please email us at security at element.io.

References

WEB https://github.com/element-hq/synapse/security/advisories/GHSA-f3r3-h2mq-hx2h
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-52815
PACKAGE https://github.com/element-hq/synapse

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes