CVE-2024-52815 HIGH

CVE-2024-52815: Synapse allows a a malformed invite to break the invitee's `/sync`

Vendor Element-Hq

Product synapse

Weakness CWE-20 · Input validation

Published December 3, 2024

Last update December 3, 2024

View on NVD All CVEs

CVSS base score

8.7/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Synapse is an open-source Matrix homeserver. Synapse versions before 1.120.1 fail to properly validate invites received over federation. This vulnerability allows a malicious server to send a specially crafted invite that disrupts the invited user's /sync functionality. Synapse 1.120.1 rejects such invalid invites received over federation and restores the ability to sync for affected users.

Key dates

02Disclosure timeline

December 3, 2024 CVE published

December 3, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-52815

Related vulnerabilities

CVE-2024-52815: Synapse allows a a malformed invite to break the invitee's `/sync`

01Description

02Disclosure timeline

03References

04Related CVE