Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Synapse denial of service through media disk space consumption
Vulnerability Description
Synapse is an open-source Matrix homeserver. Synapse versions before 1.106 are vulnerable to a disk fill attack, where an unauthenticated adversary can induce Synapse to download and cache large amounts of remote media. The default rate limit strategy is insufficient to mitigate this. This can lead to a denial of service, ranging from further media uploads/downloads failing to completely unavailability of the Synapse process, depending on how Synapse was deployed. Synapse 1.106 introduces a new "leaky bucket" rate limit on remote media downloads to reduce the amount of data a user can request at a time. This does not fully address the issue, but does limit an unauthenticated user's ability to request large amounts of data to be cached.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Vulnerability Type
不加限制或调节的资源分配
Vulnerability Title
Element Synapse 安全漏洞
Vulnerability Description
Element Synapse是Element开源的一个开源 Matrix 家庭服务器实现。 Element Synapse 1.106之前版本存在安全漏洞,该漏洞源于容易受到磁盘填充攻击,未经身份验证的攻击者可以诱使Synapse下载和缓存大量远程媒体,可能会导致拒绝服务。
CVSS Information
N/A
Vulnerability Type
N/A