Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2023-45129

MEDIUM
Published 2023-10-10T17:17:11.146Z
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2023-45129. We'll provide specific mitigation strategies based on your environment and risk profile.

CVSS Score

V3.1
4.9
/10
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Base Score Metrics
Exploitability: N/A Impact: N/A

EPSS Score

v2025.03.14
0.003
probability
of exploitation in the wild

There is a 0.3% chance that this vulnerability will be exploited in the wild within the next 30 days.

Updated: 2025-06-25
Exploit Probability
Percentile: 0.484
Higher than 48.4% of all CVEs

Attack Vector Metrics

Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED

Impact Metrics

Confidentiality
NONE
Integrity
NONE
Availability
HIGH

Description

Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. Prior to version 1.94.0, a malicious server ACL event can impact performance temporarily or permanently leading to a persistent denial of service. Homeservers running on a closed federation (which presumably do not need to use server ACLs) are not affected. Server administrators are advised to upgrade to Synapse 1.94.0 or later. As a workaround, rooms with malicious server ACL events can be purged and blocked using the admin API.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

matrix-org

synapse

Affected Versions:

< 1.94.0

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed MODERATE

matrix-synapse vulnerable to denial of service due to malicious server ACL events

GHSA-5chr-wjw5-3gq4

Advisory Details

### Impact A malicious server ACL event can impact performance temporarily or permanently leading to a persistent denial of service. Homeservers running on a closed federation (which presumably do not need to use server ACLs) are not affected. ### Patches Server administrators are advised to upgrade to Synapse 1.94.0 or later. ### Workarounds Rooms with malicious server ACL events can be [purged and blocked](https://matrix-org.github.io/synapse/latest/admin_api/rooms.html#version-2-new-version) using the admin API.

Affected Packages

PyPI matrix-synapse
ECOSYSTEM: ≥0 <1.94.0

CVSS Scoring

CVSS Score

5.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

References

WEB https://github.com/matrix-org/synapse/security/advisories/GHSA-5chr-wjw5-3gq4
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2023-45129
WEB https://github.com/matrix-org/synapse/pull/16360
WEB https://github.com/matrix-org/synapse/commit/f84da3c32ec74cf054e2fd6d10618aa4997cffaa
PACKAGE https://github.com/matrix-org/synapse
WEB https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2023-199.yaml
WEB https://lists.fedoraproject.org/archives/list/[email protected]/message/KEVRB4MG5UXQ5RLZHSUJXM5GWEBYYS5B
WEB https://lists.fedoraproject.org/archives/list/[email protected]/message/N6P4QULVUE254WI7XF2LWWOGHCYVFXFY
WEB https://lists.fedoraproject.org/archives/list/[email protected]/message/WRO4MPQ6HOXIUZM6RJP6VTCTMV7RD2T3
WEB https://matrix-org.github.io/synapse/latest/admin_api/rooms.html#version-2-new-version
WEB https://security.gentoo.org/glsa/202401-12

Advisory provided by GitHub Security Advisory Database. Published: October 10, 2023, Modified: September 24, 2024

References

https://github.com/matrix-org/synapse/security/advisories/GHSA-5chr-wjw5-3gq4
https://github.com/matrix-org/synapse/pull/16360
https://matrix-org.github.io/synapse/latest/admin_api/rooms.html#version-2-new-version
https://lists.fedoraproject.org/archives/list/[email protected]/message/WRO4MPQ6HOXIUZM6RJP6VTCTMV7RD2T3/
https://lists.fedoraproject.org/archives/list/[email protected]/message/KEVRB4MG5UXQ5RLZHSUJXM5GWEBYYS5B/
https://lists.fedoraproject.org/archives/list/[email protected]/message/N6P4QULVUE254WI7XF2LWWOGHCYVFXFY/
https://security.gentoo.org/glsa/202401-12
Published: 2023-10-10T17:17:11.146Z
Last Modified: 2025-02-13T17:13:47.801Z
Copied to clipboard!