Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Synapse vulnerable to denial of service (DoS) due to incorrect application of event authorization rules
Vulnerability Description
Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. The Matrix specification specifies a list of [event authorization rules](https://spec.matrix.org/v1.2/rooms/v9/#authorization-rules) which must be checked when determining if an event should be accepted into a room. In versions of Synapse up to and including version 1.61.0, some of these rules are not correctly applied. An attacker could craft events which would be accepted by Synapse but not a spec-conformant server, potentially causing divergence in the room state between servers. Administrators of homeservers with federation enabled are advised to upgrade to version 1.62.0 or higher. Federation can be disabled by setting [`federation_domain_whitelist`](https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#federation_domain_whitelist) to an empty list (`[]`) as a workaround.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H
Vulnerability Type
对异常条件检查或处理不恰当
Vulnerability Title
Matrix Synapse 安全漏洞
Vulnerability Description
Matrix Synapse是英国Matrix基金会的一款矩阵管理服务器的实现。 Matrix Synapse 1.61.0 及之前版本存在安全漏洞,该漏洞源于在确定是否应将事件接受到房间时,其中一些规则未正确应用。 攻击者可以制作Synapse可以接受但不符合规范的服务器的事件,这可能会导致服务器之间的房间状态出现差异。
CVSS Information
N/A
Vulnerability Type
N/A