GHSA-rfq8-j7rh-8hf2
Suggest an improvement- Source
- https://github.com/advisories/GHSA-rfq8-j7rh-8hf2
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-rfq8-j7rh-8hf2/GHSA-rfq8-j7rh-8hf2.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-rfq8-j7rh-8hf2
- Aliases
- Published
- 2024-12-03T18:40:39Z
- Modified
- 2024-12-03T18:57:14.874271Z
- Severity
-
- 8.2 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator
- Summary
- Synapse allows unsupported content types to lead to memory exhaustion
- Details
-
Impact
In Synapse before 1.120.1,
multipart/form-datarequests can in certain configurations transiently increase memory consumption beyond expected levels while processing the request, which can be used to amplify denial of service attacks.Patches
Synapse 1.120.1 resolves the issue by denying requests with unsupported
multipart/form-datacontent type.Workarounds
Limiting request sizes or blocking the
multipart/form-datacontent type before the requests reach Synapse, for example in a reverse proxy, alleviates the issue. Another approach that mitigates the attack is to use a lowmax_upload_sizein Synapse.References
- https://github.com/twisted/twisted/issues/4688#issuecomment-1167705518
- https://github.com/twisted/twisted/issues/4688#issuecomment-2385711609
For more information
If you have any questions or comments about this advisory, please email us at security at element.io.
- Database specific
{ "nvd_published_at": "2024-12-03T17:15:12Z", "severity": "HIGH", "github_reviewed_at": "2024-12-03T18:40:39Z", "github_reviewed": true, "cwe_ids": [ "CWE-770" ] }- References
-
- https://github.com/element-hq/synapse/security/advisories/GHSA-rfq8-j7rh-8hf2
- https://nvd.nist.gov/vuln/detail/CVE-2024-52805
- https://github.com/twisted/twisted/issues/4688#issuecomment-1167705518
- https://github.com/twisted/twisted/issues/4688#issuecomment-2385711609
- https://github.com/element-hq/synapse
Affected packages
PyPI / matrix-synapse
Package
- Name
- matrix-synapse
- View open source insights on deps.dev
- Purl
- pkg:pypi/matrix-synapse
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.120.1
Affected versions
0.*
0.33.5
0.33.5.1
0.33.6rc1
0.33.6
0.33.7rc1
0.33.7rc2
0.33.7
0.33.8rc2
0.33.8
0.33.9
0.34.0rc1
0.34.0rc2
0.34.0
0.34.0.1
0.34.1.1
0.99.0rc1
0.99.0rc2
0.99.0rc3
0.99.0rc4
0.99.0
0.99.1rc1
0.99.1rc2
0.99.1
0.99.1.1
0.99.2rc1
0.99.2
0.99.3rc1
0.99.3
0.99.3.1
0.99.3.2
0.99.4rc1
0.99.4
0.99.5rc1
0.99.5
0.99.5.1
0.99.5.2
1.*
1.0.0rc1
1.0.0rc2
1.0.0rc3
1.0.0
1.1.0rc1
1.1.0rc2
1.1.0
1.2.0rc1
1.2.0rc2
1.2.0
1.2.1
1.3.0rc1
1.3.0
1.3.1
1.4.0rc1
1.4.0rc2
1.4.0
1.4.1rc1
1.4.1
1.5.0rc1
1.5.0rc2
1.5.0
1.5.1
1.6.0rc1
1.6.0rc2
1.6.0
1.6.1
1.7.0rc1
1.7.0rc2
1.7.0
1.7.1
1.7.2
1.7.3
1.8.0rc1
1.8.0
1.9.0.dev1
1.9.0.dev2
1.9.0rc1
1.9.0
1.9.1
1.10.0rc1
1.10.0rc2
1.10.0rc3
1.10.0rc5
1.10.0
1.10.1
1.11.0rc1
1.11.0
1.11.1
1.12.0rc1
1.12.0
1.12.1rc1
1.12.1
1.12.2
1.12.3
1.12.4rc1
1.12.4
1.13.0rc1
1.13.0rc2
1.13.0rc3
1.13.0
1.14.0rc1
1.14.0rc2
1.14.0
1.15.0rc1
1.15.0
1.15.1
1.15.2
1.16.0rc1
1.16.0rc2
1.16.0
1.16.1
1.17.0rc1
1.17.0
1.18.0rc1
1.18.0rc2
1.18.0
1.19.0rc1
1.19.0
1.19.1rc1
1.19.1
1.19.2
1.19.3
1.20.0rc1
1.20.0rc2
1.20.0rc3
1.20.0rc4
1.20.0rc5
1.20.0
1.20.1
1.21.0rc1
1.21.0rc2
1.21.0rc3
1.21.0
1.21.1
1.21.2
1.22.0rc1
1.22.0rc2
1.22.0
1.22.1
1.23.0rc1
1.23.0
1.23.1
1.24.0rc1
1.24.0rc2
1.24.0
1.25.0rc1
1.25.0
1.26.0rc1
1.26.0rc2
1.26.0
1.27.0rc1
1.27.0rc2
1.27.0
1.28.0rc1
1.28.0
1.29.0rc1
1.29.0
1.30.0rc1
1.30.0
1.30.1
1.31.0rc1
1.31.0
1.32.0rc1
1.32.0
1.32.1
1.32.2
1.33.0rc1
1.33.0rc2
1.33.0
1.33.1
1.33.2
1.34.0rc1
1.34.0
1.35.0rc1
1.35.0rc2
1.35.0rc3
1.35.0
1.35.1
1.36.0rc1
1.36.0rc2
1.36.0
1.37.0rc1
1.37.0
1.37.1rc1
1.37.1
1.38.0rc1
1.38.0rc2
1.38.0rc3
1.38.0
1.38.1
1.39.0rc1
1.39.0rc2
1.39.0rc3
1.39.0
1.40.0rc1
1.40.0rc2
1.40.0rc3
1.40.0
1.41.0rc1
1.41.0
1.41.1
1.42.0rc1
1.42.0rc2
1.42.0
1.43.0rc1
1.43.0rc2
1.43.0
1.44.0rc1
1.44.0rc2
1.44.0rc3
1.44.0
1.45.0rc1
1.45.0rc2
1.45.0
1.45.1
1.46.0rc1
1.46.0
1.47.0rc1
1.47.0rc2
1.47.0rc3
1.47.0
1.47.1
1.48.0rc1
1.48.0
1.49.0rc1
1.49.0
1.49.2
1.50.0rc1
1.50.0rc2
1.50.0
1.50.1
1.50.2
1.51.0rc1
1.51.0rc2
1.51.0
1.52.0rc1
1.52.0
1.53.0rc1
1.53.0
1.54.0rc1
1.54.0
1.55.0rc1
1.55.0
1.55.1
1.55.2
1.56.0rc1
1.56.0
1.57.0rc1
1.57.0
1.57.1
1.58.0rc2
1.58.0
1.58.1
1.59.0rc1
1.59.0rc2
1.59.0
1.59.1
1.60.0rc1
1.60.0rc2
1.60.0
1.61.0rc1
1.61.0
1.61.1
1.62.0rc1
1.62.0rc2
1.62.0rc3
1.62.0
1.63.0rc1
1.63.0
1.63.1
1.64.0rc1
1.64.0rc2
1.64.0
1.65.0rc1
1.65.0rc2
1.65.0
1.66.0rc1
1.66.0rc2
1.66.0
1.67.0rc1
1.67.0
1.68.0rc1
1.68.0rc2
1.68.0
1.69.0rc1
1.69.0rc2
1.69.0rc4
1.69.0
1.70.0rc1
1.70.0rc2
1.70.0
1.70.1
1.71.0rc1
1.71.0rc2
1.71.0
1.72.0rc1
1.72.0
1.73.0rc2
1.73.0
1.74.0rc1
1.74.0
1.75.0rc1
1.75.0rc2
1.75.0
1.76.0rc1
1.76.0rc2
1.76.0
1.77.0rc1
1.77.0rc2
1.77.0
1.78.0rc1
1.78.0
1.79.0rc1
1.79.0rc2
1.79.0
1.80.0rc1
1.80.0rc2
1.80.0
1.81.0rc1
1.81.0rc2
1.81.0
1.82.0rc1
1.82.0
1.83.0rc1
1.83.0
1.84.0rc1
1.84.0
1.84.1
1.85.0rc1
1.85.0rc2
1.85.0
1.85.1
1.85.2
1.86.0rc2
1.86.0
1.87.0rc1
1.87.0
1.88.0rc1
1.88.0
1.89.0rc1
1.89.0
1.90.0rc1
1.90.0
1.91.0rc1
1.91.0
1.91.1
1.91.2
1.92.0rc1
1.92.1
1.92.2
1.92.3
1.93.0rc1
1.93.0
1.94.0rc1
1.94.0
1.95.0rc1
1.95.0
1.95.1
1.96.0rc1
1.96.1
1.97.0rc1
1.97.0
1.98.0rc1
1.98.0
1.99.0rc1
1.99.0
1.100.0rc2
1.100.0rc3
1.100.0
1.101.0rc1
1.101.0
1.102.0rc1
1.102.0
1.103.0rc1
1.103.0
1.104.0rc1
1.104.0
1.105.0rc1
1.105.0
1.105.1
1.106.0rc1
1.106.0
1.107.0rc1
1.107.0
1.108.0rc1
1.108.0
1.109.0rc1
1.109.0rc2
1.109.0rc3
1.109.0
1.110.0rc2
1.110.0rc3
1.110.0
1.111.0rc1
1.111.0rc2
1.111.0
1.111.1
1.112.0rc1
1.112.0
1.113.0rc1
1.113.0
1.114.0rc1
1.114.0rc3
1.114.0
1.115.0rc1
1.115.0rc2
1.115.0
1.116.0rc1
1.116.0rc2
1.116.0
1.117.0rc1
1.117.0
1.118.0rc1
1.118.0
1.119.0rc2
1.119.0
1.120.0rc1
1.120.0