CVE-2024-52815

Synapse is an open-source Matrix homeserver. Synapse versions before 1.120.1 fail to properly validate invites received over federation. This vulnerability allows a malicious server to send a specially crafted invite that disrupts the invited user's /sync functionality. Synapse 1.120.1 rejects such invalid invites received over federation and restores the ability to sync for affected users.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
UNKNOWN
---
GitHub_MCNA
---
---
CISA-ADPADP
---
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 16%
Debian logo
Debian Releases
Debian Product
Codename
matrix-synapse
sid
1.128.0-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
matrix-synapse
oracular
deferred
noble
deferred
jammy
deferred
focal
deferred
bionic
deferred
Common Weakness Enumeration
References
https://github.com/element-hq/synapse/security/advisories/GHSA-f3r3-h2mq-hx2h