Allocation of Resources Without Limits or Throttling Affecting matrix-synapse package, versions [,1.105.1)
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-MATRIXSYNAPSE-6672872
- published 24 Apr 2024
- disclosed 23 Apr 2024
- credit Unknown
Introduced: 23 Apr 2024
CVE-2024-31208 Open this link in a new tabHow to fix?
Upgrade matrix-synapse
to version 1.105.1 or higher.
Overview
matrix-synapse is an ecosystem for open federated Instant Messaging and VoIP.
Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to a weakness in how the auth chain cover index
is calculated. An attacker can induce high CPU consumption and accumulate excessive data in the database by dispatching specially crafted events.
Workaround
Users can:
ban the malicious users or ACL block servers from the rooms; and/or
leave the room and purge the room using the admin API