Search

Find a vulnerability

Search criteria

    22 vulnerabilities found for synapse by element-hq

    CVE-2026-45078 (GCVE-0-2026-45078)

    Vulnerability from nvd – Published: 2026-05-28 15:52 – Updated: 2026-05-29 15:31
    VLAI
    Title
    Synapse CPU starvation (Denial of Service)
    Summary
    Synapse is an open source Matrix homeserver implementation. Prior to 1.152.1, local authenticated users can cause Synapse to starve other requests of CPU and lead to other requests failing, causing other users to be denied service. This vulnerability is fixed in 1.152.1.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    References
    Impacted products
    Vendor Product Version
    element-hq synapse Affected: < 1.152.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-45078",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-29T15:31:35.828810Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-29T15:31:44.793Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "synapse",
              "vendor": "element-hq",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.152.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Synapse is an open source Matrix homeserver implementation. Prior to 1.152.1, local authenticated users can cause Synapse to starve other requests of CPU and lead to other requests failing, causing other users to be denied service. This vulnerability is fixed in 1.152.1."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "LOCAL",
                "baseScore": 6.8,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-28T15:52:04.765Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/element-hq/synapse/security/advisories/GHSA-8q93-326v-3m7g",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/element-hq/synapse/security/advisories/GHSA-8q93-326v-3m7g"
            }
          ],
          "source": {
            "advisory": "GHSA-8q93-326v-3m7g",
            "discovery": "UNKNOWN"
          },
          "title": "Synapse CPU starvation (Denial of Service)"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-45078",
        "datePublished": "2026-05-28T15:52:04.765Z",
        "dateReserved": "2026-05-08T18:45:10.097Z",
        "dateUpdated": "2026-05-29T15:31:44.793Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-45076 (GCVE-0-2026-45076)

    Vulnerability from nvd – Published: 2026-05-28 15:50 – Updated: 2026-06-02 14:51
    VLAI
    Title
    Synapse pagination denial of service
    Summary
    Synapse is an open source Matrix homeserver implementation. Prior to 1.152.1, in federated rooms, malicious homeservers can craft room events in such a way that prevents Synapse from providing full history to paginating clients. Clients could therefore fail to display room history. This vulnerability is fixed in 1.152.1.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    References
    Impacted products
    Vendor Product Version
    element-hq synapse Affected: < 1.152.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-45076",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-02T14:51:22.795858Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-02T14:51:34.553Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "synapse",
              "vendor": "element-hq",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.152.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Synapse is an open source Matrix homeserver implementation. Prior to 1.152.1, in federated rooms, malicious homeservers can craft room events in such a way that prevents Synapse from providing full history to paginating clients. Clients could therefore fail to display room history. This vulnerability is fixed in 1.152.1."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.1,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "HIGH",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20: Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-28T15:50:25.842Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/element-hq/synapse/security/advisories/GHSA-6qf2-7x63-mm6v",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/element-hq/synapse/security/advisories/GHSA-6qf2-7x63-mm6v"
            }
          ],
          "source": {
            "advisory": "GHSA-6qf2-7x63-mm6v",
            "discovery": "UNKNOWN"
          },
          "title": "Synapse pagination denial of service"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-45076",
        "datePublished": "2026-05-28T15:50:25.842Z",
        "dateReserved": "2026-05-08T18:45:10.096Z",
        "dateUpdated": "2026-06-02T14:51:34.553Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-61672 (GCVE-0-2025-61672)

    Vulnerability from nvd – Published: 2025-10-08 14:55 – Updated: 2025-10-15 16:11
    VLAI
    Title
    Synapse: Invalid device keys degrade federation functionality
    Summary
    Synapse is an open source Matrix homeserver implementation. Lack of validation for device keys in Synapse before 1.138.3 and in Synapse 1.139.0 allow an attacker registered on the victim homeserver to degrade federation functionality, unpredictably breaking outbound federation to other homeservers. The issue is patched in Synapse 1.138.3, 1.138.4, 1.139.1, and 1.139.2. Note that even though 1.138.3 and 1.139.1 fix the vulnerability, they inadvertently introduced an unrelated regression. For this reason, the maintainers of Synapse recommend skipping these releases and upgrading straight to 1.138.4 and 1.139.2.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1287 - Improper Validation of Specified Type of Input
    Assigner
    Impacted products
    Vendor Product Version
    element-hq synapse Affected: < 1.138.3
    Affected: = 1.139.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-61672",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-15T16:10:58.297046Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-15T16:11:07.284Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "synapse",
              "vendor": "element-hq",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.138.3"
                },
                {
                  "status": "affected",
                  "version": "= 1.139.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Synapse is an open source Matrix homeserver implementation. Lack of validation for device keys in Synapse before 1.138.3 and in Synapse 1.139.0 allow an attacker registered on the victim homeserver to degrade federation functionality, unpredictably breaking outbound federation to other homeservers. The issue is patched in Synapse 1.138.3, 1.138.4, 1.139.1, and 1.139.2. Note that even though 1.138.3 and 1.139.1 fix the vulnerability, they inadvertently introduced an unrelated regression. For this reason, the maintainers of Synapse recommend skipping these releases and upgrading straight to 1.138.4 and 1.139.2."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1287",
                  "description": "CWE-1287: Improper Validation of Specified Type of Input",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-08T14:55:06.378Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/element-hq/synapse/security/advisories/GHSA-fh66-fcv5-jjfr",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/element-hq/synapse/security/advisories/GHSA-fh66-fcv5-jjfr"
            },
            {
              "name": "https://github.com/element-hq/synapse/pull/17097",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/element-hq/synapse/pull/17097"
            },
            {
              "name": "https://github.com/element-hq/synapse/commit/26aaaf9e48fff80cf67a20c691c75d670034b3c1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/element-hq/synapse/commit/26aaaf9e48fff80cf67a20c691c75d670034b3c1"
            },
            {
              "name": "https://github.com/element-hq/synapse/commit/7069636c2d6d1ef2022287addf3ed8b919ef2740",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/element-hq/synapse/commit/7069636c2d6d1ef2022287addf3ed8b919ef2740"
            },
            {
              "name": "https://github.com/element-hq/synapse/releases/tag/v1.138.3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/element-hq/synapse/releases/tag/v1.138.3"
            },
            {
              "name": "https://github.com/element-hq/synapse/releases/tag/v1.139.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/element-hq/synapse/releases/tag/v1.139.1"
            }
          ],
          "source": {
            "advisory": "GHSA-fh66-fcv5-jjfr",
            "discovery": "UNKNOWN"
          },
          "title": "Synapse: Invalid device keys degrade federation functionality"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-61672",
        "datePublished": "2025-10-08T14:55:06.378Z",
        "dateReserved": "2025-09-29T20:25:16.180Z",
        "dateUpdated": "2025-10-15T16:11:07.284Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-30355 (GCVE-0-2025-30355)

    Vulnerability from nvd – Published: 2025-03-27 00:59 – Updated: 2025-03-27 13:47
    VLAI
    Title
    Synapse vulnerable to federation denial of service via malformed events
    Summary
    Synapse is an open source Matrix homeserver implementation. A malicious server can craft events which, when received, prevent Synapse version up to 1.127.0 from federating with other servers. The vulnerability has been exploited in the wild and has been fixed in Synapse v1.127.1. No known workarounds are available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    Impacted products
    Vendor Product Version
    element-hq synapse Affected: < 1.127.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-30355",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-27T13:47:41.011255Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-27T13:47:50.179Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "synapse",
              "vendor": "element-hq",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.127.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Synapse is an open source Matrix homeserver implementation. A malicious server can craft events which, when received, prevent Synapse version up to 1.127.0 from federating with other servers. The vulnerability has been exploited in the wild and has been fixed in Synapse v1.127.1. No known workarounds are available."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20: Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-03-27T00:59:27.996Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/element-hq/synapse/security/advisories/GHSA-v56r-hwv5-mxg6",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/element-hq/synapse/security/advisories/GHSA-v56r-hwv5-mxg6"
            },
            {
              "name": "https://github.com/element-hq/synapse/commit/2277df2a1eb685f85040ef98fa21d41aa4cdd389",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/element-hq/synapse/commit/2277df2a1eb685f85040ef98fa21d41aa4cdd389"
            },
            {
              "name": "https://github.com/element-hq/synapse/releases/tag/v1.127.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/element-hq/synapse/releases/tag/v1.127.1"
            }
          ],
          "source": {
            "advisory": "GHSA-v56r-hwv5-mxg6",
            "discovery": "UNKNOWN"
          },
          "title": "Synapse vulnerable to federation denial of service via malformed events"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-30355",
        "datePublished": "2025-03-27T00:59:27.996Z",
        "dateReserved": "2025-03-21T14:12:06.270Z",
        "dateUpdated": "2025-03-27T13:47:50.179Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-53867 (GCVE-0-2024-53867)

    Vulnerability from nvd – Published: 2024-12-03 16:52 – Updated: 2024-12-03 19:07
    VLAI
    Title
    Synapse Matrix has a partial room state leak via Sliding Sync
    Summary
    Synapse is an open-source Matrix homeserver. The Sliding Sync feature on Synapse versions between 1.113.0rc1 and 1.120.0 can leak partial room state changes to users no longer in a room. Non-state events, like messages, are unaffected. This vulnerability is fixed in 1.120.1.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-497 - Exposure of Sensitive System Information to an Unauthorized Control Sphere
    Assigner
    References
    Impacted products
    Vendor Product Version
    element-hq synapse Affected: >= 1.113.0rc1, < 1.120.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-53867",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-03T19:07:06.315341Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-03T19:07:19.919Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "synapse",
              "vendor": "element-hq",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.113.0rc1, \u003c 1.120.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Synapse is an open-source Matrix homeserver. The Sliding Sync feature on Synapse versions between 1.113.0rc1 and 1.120.0 can leak partial room state changes to users no longer in a room. Non-state events, like messages, are unaffected. This vulnerability is fixed in 1.120.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-497",
                  "description": "CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-12-03T16:52:01.596Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/element-hq/synapse/security/advisories/GHSA-56w4-5538-8v8h",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/element-hq/synapse/security/advisories/GHSA-56w4-5538-8v8h"
            },
            {
              "name": "https://github.com/matrix-org/matrix-spec-proposals/pull/4186",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/matrix-org/matrix-spec-proposals/pull/4186"
            }
          ],
          "source": {
            "advisory": "GHSA-56w4-5538-8v8h",
            "discovery": "UNKNOWN"
          },
          "title": "Synapse Matrix has a partial room state leak via Sliding Sync"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-53867",
        "datePublished": "2024-12-03T16:52:01.596Z",
        "dateReserved": "2024-11-22T17:30:02.145Z",
        "dateUpdated": "2024-12-03T19:07:19.919Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-53863 (GCVE-0-2024-53863)

    Vulnerability from nvd – Published: 2024-12-03 16:48 – Updated: 2024-12-03 19:08
    VLAI
    Title
    Synapse can be forced to thumbnail unexpected file formats, invoking external, potentially untrustworthy decoders
    Summary
    Synapse is an open-source Matrix homeserver. In Synapse versions before 1.120.1, enabling the dynamic_thumbnails option or processing a specially crafted request could trigger the decoding and thumbnail generation of uncommon image formats, potentially invoking external tools like Ghostscript for processing. This significantly expands the attack surface in a historically vulnerable area, presenting a risk that far outweighs the benefit, particularly since these formats are rarely used on the open web or within the Matrix ecosystem. Synapse 1.120.1 addresses the issue by restricting thumbnail generation to images in the following widely used formats: PNG, JPEG, GIF, and WebP. This vulnerability is fixed in 1.120.1.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-434 - Unrestricted Upload of File with Dangerous Type
    Assigner
    References
    Impacted products
    Vendor Product Version
    element-hq synapse Affected: < 1.120.1
    Create a notification for this product.
    element-hq synapse Affected: 0 , < 1.120.1 (custom)
        cpe:2.3:a:element-hq:synapse:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:element-hq:synapse:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "synapse",
                "vendor": "element-hq",
                "versions": [
                  {
                    "lessThan": "1.120.1",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-53863",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-03T19:07:32.536899Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-03T19:08:30.218Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "synapse",
              "vendor": "element-hq",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.120.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Synapse is an open-source Matrix homeserver. In Synapse versions before 1.120.1, enabling the dynamic_thumbnails option or processing a specially crafted request could trigger the decoding and thumbnail generation of uncommon image formats, potentially invoking external tools like Ghostscript for processing. This significantly expands the attack surface in a historically vulnerable area, presenting a risk that far outweighs the benefit, particularly since these formats are rarely used on the open web or within the Matrix ecosystem. Synapse 1.120.1 addresses the issue by restricting thumbnail generation to images in the following widely used formats: PNG, JPEG, GIF, and WebP. This vulnerability is fixed in 1.120.1."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-434",
                  "description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-12-03T16:48:29.722Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/element-hq/synapse/security/advisories/GHSA-vp6v-whfm-rv3g",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/element-hq/synapse/security/advisories/GHSA-vp6v-whfm-rv3g"
            }
          ],
          "source": {
            "advisory": "GHSA-vp6v-whfm-rv3g",
            "discovery": "UNKNOWN"
          },
          "title": "Synapse can be forced to thumbnail unexpected file formats, invoking external, potentially untrustworthy decoders"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-53863",
        "datePublished": "2024-12-03T16:48:29.722Z",
        "dateReserved": "2024-11-22T17:30:02.145Z",
        "dateUpdated": "2024-12-03T19:08:30.218Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-52815 (GCVE-0-2024-52815)

    Vulnerability from nvd – Published: 2024-12-03 16:58 – Updated: 2024-12-03 19:06
    VLAI
    Title
    Synapse allows a a malformed invite to break the invitee's `/sync`
    Summary
    Synapse is an open-source Matrix homeserver. Synapse versions before 1.120.1 fail to properly validate invites received over federation. This vulnerability allows a malicious server to send a specially crafted invite that disrupts the invited user's /sync functionality. Synapse 1.120.1 rejects such invalid invites received over federation and restores the ability to sync for affected users.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    References
    Impacted products
    Vendor Product Version
    element-hq synapse Affected: < 1.120.1
    Create a notification for this product.
    element-hq synapse Affected: 0 , < 1.120.1 (custom)
        cpe:2.3:a:element-hq:synapse:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:element-hq:synapse:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "synapse",
                "vendor": "element-hq",
                "versions": [
                  {
                    "lessThan": "1.120.1",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-52815",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-03T19:05:32.860627Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-03T19:06:11.082Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "synapse",
              "vendor": "element-hq",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.120.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Synapse is an open-source Matrix homeserver. Synapse versions before 1.120.1 fail to properly validate invites received over federation. This vulnerability allows a malicious server to send a specially crafted invite that disrupts the invited user\u0027s /sync functionality. Synapse 1.120.1 rejects such invalid invites received over federation and restores the ability to sync for affected users."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20: Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-12-03T16:59:21.634Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/element-hq/synapse/security/advisories/GHSA-f3r3-h2mq-hx2h",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/element-hq/synapse/security/advisories/GHSA-f3r3-h2mq-hx2h"
            }
          ],
          "source": {
            "advisory": "GHSA-f3r3-h2mq-hx2h",
            "discovery": "UNKNOWN"
          },
          "title": "Synapse allows a a malformed invite to break the invitee\u0027s `/sync`"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-52815",
        "datePublished": "2024-12-03T16:58:30.877Z",
        "dateReserved": "2024-11-15T17:11:13.444Z",
        "dateUpdated": "2024-12-03T19:06:11.082Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-52805 (GCVE-0-2024-52805)

    Vulnerability from nvd – Published: 2024-12-03 17:01 – Updated: 2024-12-03 19:04
    VLAI
    Title
    Synapse allows unsupported content types to lead to memory exhaustion
    Summary
    Synapse is an open-source Matrix homeserver. In Synapse before 1.120.1, multipart/form-data requests can in certain configurations transiently increase memory consumption beyond expected levels while processing the request, which can be used to amplify denial of service attacks. Synapse 1.120.1 resolves the issue by denying requests with unsupported multipart/form-data content type.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    Impacted products
    Vendor Product Version
    element-hq synapse Affected: < 1.120.1
    Create a notification for this product.
    element-hq synapse Affected: 0 , < 1.120.1 (custom)
        cpe:2.3:a:element-hq:synapse:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:element-hq:synapse:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "synapse",
                "vendor": "element-hq",
                "versions": [
                  {
                    "lessThan": "1.120.1",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-52805",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-03T19:04:05.237385Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-03T19:04:44.446Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "synapse",
              "vendor": "element-hq",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.120.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Synapse is an open-source Matrix homeserver. In Synapse before 1.120.1, multipart/form-data requests can in certain configurations transiently increase memory consumption beyond expected levels while processing the request, which can be used to amplify denial of service attacks. Synapse 1.120.1 resolves the issue by denying requests with unsupported multipart/form-data content type."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-12-03T17:01:50.119Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/element-hq/synapse/security/advisories/GHSA-rfq8-j7rh-8hf2",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/element-hq/synapse/security/advisories/GHSA-rfq8-j7rh-8hf2"
            },
            {
              "name": "https://github.com/twisted/twisted/issues/4688#issuecomment-1167705518",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/twisted/twisted/issues/4688#issuecomment-1167705518"
            },
            {
              "name": "https://github.com/twisted/twisted/issues/4688#issuecomment-2385711609",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/twisted/twisted/issues/4688#issuecomment-2385711609"
            }
          ],
          "source": {
            "advisory": "GHSA-rfq8-j7rh-8hf2",
            "discovery": "UNKNOWN"
          },
          "title": "Synapse allows unsupported content types to lead to memory exhaustion"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-52805",
        "datePublished": "2024-12-03T17:01:50.119Z",
        "dateReserved": "2024-11-15T17:11:13.442Z",
        "dateUpdated": "2024-12-03T19:04:44.446Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-37303 (GCVE-0-2024-37303)

    Vulnerability from nvd – Published: 2024-12-03 17:06 – Updated: 2024-12-03 18:51
    VLAI
    Title
    Synapse unauthenticated writes to the media repository allow planting of problematic content
    Summary
    Synapse is an open-source Matrix homeserver. Synapse before version 1.106 allows, by design, unauthenticated remote participants to trigger a download and caching of remote media from a remote homeserver to the local media repository. Such content then also becomes available for download from the local homeserver in an unauthenticated way. The implication is that unauthenticated remote adversaries can use this functionality to plant problematic content into the media repository. Synapse 1.106 introduces a partial mitigation in the form of new endpoints which require authentication for media downloads. The unauthenticated endpoints will be frozen in a future release, closing the attack vector.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-306 - Missing Authentication for Critical Function
    Assigner
    References
    Impacted products
    Vendor Product Version
    element-hq synapse Affected: < 1.106
    Create a notification for this product.
    element-hq synapse Affected: 0 , < 1.106 (custom)
        cpe:2.3:a:element-hq:synapse:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:element-hq:synapse:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "synapse",
                "vendor": "element-hq",
                "versions": [
                  {
                    "lessThan": "1.106",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-37303",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-03T18:49:29.668536Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-03T18:51:29.590Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "synapse",
              "vendor": "element-hq",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.106"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Synapse is an open-source Matrix homeserver. Synapse before version 1.106 allows, by design, unauthenticated remote participants to trigger a download and caching of remote media from a remote homeserver to the local media repository. Such content then also becomes available for download from the local homeserver in an unauthenticated way. The implication is that unauthenticated remote adversaries can use this functionality to plant problematic content into the media repository. Synapse 1.106 introduces a partial mitigation in the form of new endpoints which require authentication for media downloads. The unauthenticated endpoints will be frozen in a future release, closing the attack vector."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-306",
                  "description": "CWE-306: Missing Authentication for Critical Function",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-12-03T17:06:02.467Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/element-hq/synapse/security/advisories/GHSA-gjgr-7834-rhxr",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/element-hq/synapse/security/advisories/GHSA-gjgr-7834-rhxr"
            },
            {
              "name": "https://github.com/matrix-org/matrix-spec-proposals/pull/3916",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/matrix-org/matrix-spec-proposals/pull/3916"
            }
          ],
          "source": {
            "advisory": "GHSA-gjgr-7834-rhxr",
            "discovery": "UNKNOWN"
          },
          "title": "Synapse unauthenticated writes to the media repository allow planting of problematic content"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-37303",
        "datePublished": "2024-12-03T17:06:02.467Z",
        "dateReserved": "2024-06-05T20:10:46.497Z",
        "dateUpdated": "2024-12-03T18:51:29.590Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-37302 (GCVE-0-2024-37302)

    Vulnerability from nvd – Published: 2024-12-03 17:04 – Updated: 2024-12-03 18:56
    VLAI
    Title
    Synapse denial of service through media disk space consumption
    Summary
    Synapse is an open-source Matrix homeserver. Synapse versions before 1.106 are vulnerable to a disk fill attack, where an unauthenticated adversary can induce Synapse to download and cache large amounts of remote media. The default rate limit strategy is insufficient to mitigate this. This can lead to a denial of service, ranging from further media uploads/downloads failing to completely unavailability of the Synapse process, depending on how Synapse was deployed. Synapse 1.106 introduces a new "leaky bucket" rate limit on remote media downloads to reduce the amount of data a user can request at a time. This does not fully address the issue, but does limit an unauthenticated user's ability to request large amounts of data to be cached.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    References
    Impacted products
    Vendor Product Version
    element-hq synapse Affected: < 1.106
    Create a notification for this product.
    element-hq synapse Affected: 0 , < 1.106 (custom)
        cpe:2.3:a:element-hq:synapse:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:element-hq:synapse:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "synapse",
                "vendor": "element-hq",
                "versions": [
                  {
                    "lessThan": "1.106",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-37302",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-03T18:55:21.581964Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-03T18:56:17.082Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "synapse",
              "vendor": "element-hq",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.106"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Synapse is an open-source Matrix homeserver. Synapse versions before 1.106 are vulnerable to a disk fill attack, where an unauthenticated adversary can induce Synapse to download and cache large amounts of remote media. The default rate limit strategy is insufficient to mitigate this. This can lead to a denial of service, ranging from further media uploads/downloads failing to completely unavailability of the Synapse process, depending on how Synapse was deployed. Synapse 1.106 introduces a new \"leaky bucket\" rate limit on remote media downloads to reduce the amount of data a user can request at a time. This does not fully address the issue, but does limit an unauthenticated user\u0027s ability to request large amounts of data to be cached."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-12-03T17:04:15.839Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/element-hq/synapse/security/advisories/GHSA-4mhg-xv73-xq2x",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/element-hq/synapse/security/advisories/GHSA-4mhg-xv73-xq2x"
            }
          ],
          "source": {
            "advisory": "GHSA-4mhg-xv73-xq2x",
            "discovery": "UNKNOWN"
          },
          "title": "Synapse denial of service through media disk space consumption"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-37302",
        "datePublished": "2024-12-03T17:04:15.839Z",
        "dateReserved": "2024-06-05T20:10:46.497Z",
        "dateUpdated": "2024-12-03T18:56:17.082Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-31208 (GCVE-0-2024-31208)

    Vulnerability from nvd – Published: 2024-04-23 17:26 – Updated: 2025-02-13 17:47
    VLAI
    Title
    Synapse's V2 state resolution weakness allows DoS from remote room members
    Summary
    Synapse is an open-source Matrix homeserver. A remote Matrix user with malicious intent, sharing a room with Synapse instances before 1.105.1, can dispatch specially crafted events to exploit a weakness in the V2 state resolution algorithm. This can induce high CPU consumption and accumulate excessive data in the database of such instances, resulting in a denial of service. Servers in private federations, or those that do not federate, are not affected. Server administrators should upgrade to 1.105.1 or later. Some workarounds are available. One can ban the malicious users or ACL block servers from the rooms and/or leave the room and purge the room using the admin API.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    Impacted products
    Vendor Product Version
    element-hq synapse Affected: < 1.105.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-31208",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-04-23T19:13:09.531555Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-23T18:42:58.878Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T01:46:04.624Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/element-hq/synapse/security/advisories/GHSA-3h7q-rfh9-xm4v",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/element-hq/synapse/security/advisories/GHSA-3h7q-rfh9-xm4v"
              },
              {
                "name": "https://github.com/element-hq/synapse/commit/55b0aa847a61774b6a3acdc4b177a20dc019f01a",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/element-hq/synapse/commit/55b0aa847a61774b6a3acdc4b177a20dc019f01a"
              },
              {
                "name": "https://github.com/element-hq/synapse/releases/tag/v1.105.1",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/element-hq/synapse/releases/tag/v1.105.1"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RR53FNHV446CB37TP45GZ6F6HZLZCK3K/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R6FCCO4ODTZ3FDS7TMW76PKOSEL2TQVB/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSF4NJJSTSQRJQ47PLYYSCFYKJBP7DET/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "synapse",
              "vendor": "element-hq",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.105.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Synapse is an open-source Matrix homeserver. A remote Matrix user with malicious intent, sharing a room with Synapse instances before 1.105.1, can dispatch specially crafted events to exploit a weakness in the V2 state resolution algorithm. This can induce high CPU consumption and accumulate excessive data in the database of such instances, resulting in a denial of service. Servers in private federations, or those that do not federate, are not affected. Server administrators should upgrade to 1.105.1 or later. Some workarounds are available. One can ban the malicious users or ACL block servers from the rooms and/or leave the room and purge the room using the admin API."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-03T02:06:09.197Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/element-hq/synapse/security/advisories/GHSA-3h7q-rfh9-xm4v",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/element-hq/synapse/security/advisories/GHSA-3h7q-rfh9-xm4v"
            },
            {
              "name": "https://github.com/element-hq/synapse/commit/55b0aa847a61774b6a3acdc4b177a20dc019f01a",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/element-hq/synapse/commit/55b0aa847a61774b6a3acdc4b177a20dc019f01a"
            },
            {
              "name": "https://github.com/element-hq/synapse/releases/tag/v1.105.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/element-hq/synapse/releases/tag/v1.105.1"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RR53FNHV446CB37TP45GZ6F6HZLZCK3K/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R6FCCO4ODTZ3FDS7TMW76PKOSEL2TQVB/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSF4NJJSTSQRJQ47PLYYSCFYKJBP7DET/"
            }
          ],
          "source": {
            "advisory": "GHSA-3h7q-rfh9-xm4v",
            "discovery": "UNKNOWN"
          },
          "title": "Synapse\u0027s V2 state resolution weakness allows DoS from remote room members"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-31208",
        "datePublished": "2024-04-23T17:26:39.171Z",
        "dateReserved": "2024-03-29T14:16:31.900Z",
        "dateUpdated": "2025-02-13T17:47:51.943Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2026-45078 (GCVE-0-2026-45078)

    Vulnerability from cvelistv5 – Published: 2026-05-28 15:52 – Updated: 2026-05-29 15:31
    VLAI
    Title
    Synapse CPU starvation (Denial of Service)
    Summary
    Synapse is an open source Matrix homeserver implementation. Prior to 1.152.1, local authenticated users can cause Synapse to starve other requests of CPU and lead to other requests failing, causing other users to be denied service. This vulnerability is fixed in 1.152.1.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    References
    Impacted products
    Vendor Product Version
    element-hq synapse Affected: < 1.152.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-45078",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-29T15:31:35.828810Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-29T15:31:44.793Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "synapse",
              "vendor": "element-hq",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.152.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Synapse is an open source Matrix homeserver implementation. Prior to 1.152.1, local authenticated users can cause Synapse to starve other requests of CPU and lead to other requests failing, causing other users to be denied service. This vulnerability is fixed in 1.152.1."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "LOCAL",
                "baseScore": 6.8,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-28T15:52:04.765Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/element-hq/synapse/security/advisories/GHSA-8q93-326v-3m7g",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/element-hq/synapse/security/advisories/GHSA-8q93-326v-3m7g"
            }
          ],
          "source": {
            "advisory": "GHSA-8q93-326v-3m7g",
            "discovery": "UNKNOWN"
          },
          "title": "Synapse CPU starvation (Denial of Service)"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-45078",
        "datePublished": "2026-05-28T15:52:04.765Z",
        "dateReserved": "2026-05-08T18:45:10.097Z",
        "dateUpdated": "2026-05-29T15:31:44.793Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-45076 (GCVE-0-2026-45076)

    Vulnerability from cvelistv5 – Published: 2026-05-28 15:50 – Updated: 2026-06-02 14:51
    VLAI
    Title
    Synapse pagination denial of service
    Summary
    Synapse is an open source Matrix homeserver implementation. Prior to 1.152.1, in federated rooms, malicious homeservers can craft room events in such a way that prevents Synapse from providing full history to paginating clients. Clients could therefore fail to display room history. This vulnerability is fixed in 1.152.1.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    References
    Impacted products
    Vendor Product Version
    element-hq synapse Affected: < 1.152.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-45076",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-02T14:51:22.795858Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-02T14:51:34.553Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "synapse",
              "vendor": "element-hq",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.152.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Synapse is an open source Matrix homeserver implementation. Prior to 1.152.1, in federated rooms, malicious homeservers can craft room events in such a way that prevents Synapse from providing full history to paginating clients. Clients could therefore fail to display room history. This vulnerability is fixed in 1.152.1."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.1,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "HIGH",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20: Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-28T15:50:25.842Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/element-hq/synapse/security/advisories/GHSA-6qf2-7x63-mm6v",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/element-hq/synapse/security/advisories/GHSA-6qf2-7x63-mm6v"
            }
          ],
          "source": {
            "advisory": "GHSA-6qf2-7x63-mm6v",
            "discovery": "UNKNOWN"
          },
          "title": "Synapse pagination denial of service"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-45076",
        "datePublished": "2026-05-28T15:50:25.842Z",
        "dateReserved": "2026-05-08T18:45:10.096Z",
        "dateUpdated": "2026-06-02T14:51:34.553Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-61672 (GCVE-0-2025-61672)

    Vulnerability from cvelistv5 – Published: 2025-10-08 14:55 – Updated: 2025-10-15 16:11
    VLAI
    Title
    Synapse: Invalid device keys degrade federation functionality
    Summary
    Synapse is an open source Matrix homeserver implementation. Lack of validation for device keys in Synapse before 1.138.3 and in Synapse 1.139.0 allow an attacker registered on the victim homeserver to degrade federation functionality, unpredictably breaking outbound federation to other homeservers. The issue is patched in Synapse 1.138.3, 1.138.4, 1.139.1, and 1.139.2. Note that even though 1.138.3 and 1.139.1 fix the vulnerability, they inadvertently introduced an unrelated regression. For this reason, the maintainers of Synapse recommend skipping these releases and upgrading straight to 1.138.4 and 1.139.2.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1287 - Improper Validation of Specified Type of Input
    Assigner
    Impacted products
    Vendor Product Version
    element-hq synapse Affected: < 1.138.3
    Affected: = 1.139.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-61672",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-15T16:10:58.297046Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-15T16:11:07.284Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "synapse",
              "vendor": "element-hq",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.138.3"
                },
                {
                  "status": "affected",
                  "version": "= 1.139.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Synapse is an open source Matrix homeserver implementation. Lack of validation for device keys in Synapse before 1.138.3 and in Synapse 1.139.0 allow an attacker registered on the victim homeserver to degrade federation functionality, unpredictably breaking outbound federation to other homeservers. The issue is patched in Synapse 1.138.3, 1.138.4, 1.139.1, and 1.139.2. Note that even though 1.138.3 and 1.139.1 fix the vulnerability, they inadvertently introduced an unrelated regression. For this reason, the maintainers of Synapse recommend skipping these releases and upgrading straight to 1.138.4 and 1.139.2."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1287",
                  "description": "CWE-1287: Improper Validation of Specified Type of Input",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-08T14:55:06.378Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/element-hq/synapse/security/advisories/GHSA-fh66-fcv5-jjfr",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/element-hq/synapse/security/advisories/GHSA-fh66-fcv5-jjfr"
            },
            {
              "name": "https://github.com/element-hq/synapse/pull/17097",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/element-hq/synapse/pull/17097"
            },
            {
              "name": "https://github.com/element-hq/synapse/commit/26aaaf9e48fff80cf67a20c691c75d670034b3c1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/element-hq/synapse/commit/26aaaf9e48fff80cf67a20c691c75d670034b3c1"
            },
            {
              "name": "https://github.com/element-hq/synapse/commit/7069636c2d6d1ef2022287addf3ed8b919ef2740",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/element-hq/synapse/commit/7069636c2d6d1ef2022287addf3ed8b919ef2740"
            },
            {
              "name": "https://github.com/element-hq/synapse/releases/tag/v1.138.3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/element-hq/synapse/releases/tag/v1.138.3"
            },
            {
              "name": "https://github.com/element-hq/synapse/releases/tag/v1.139.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/element-hq/synapse/releases/tag/v1.139.1"
            }
          ],
          "source": {
            "advisory": "GHSA-fh66-fcv5-jjfr",
            "discovery": "UNKNOWN"
          },
          "title": "Synapse: Invalid device keys degrade federation functionality"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-61672",
        "datePublished": "2025-10-08T14:55:06.378Z",
        "dateReserved": "2025-09-29T20:25:16.180Z",
        "dateUpdated": "2025-10-15T16:11:07.284Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-30355 (GCVE-0-2025-30355)

    Vulnerability from cvelistv5 – Published: 2025-03-27 00:59 – Updated: 2025-03-27 13:47
    VLAI
    Title
    Synapse vulnerable to federation denial of service via malformed events
    Summary
    Synapse is an open source Matrix homeserver implementation. A malicious server can craft events which, when received, prevent Synapse version up to 1.127.0 from federating with other servers. The vulnerability has been exploited in the wild and has been fixed in Synapse v1.127.1. No known workarounds are available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    Impacted products
    Vendor Product Version
    element-hq synapse Affected: < 1.127.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-30355",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-27T13:47:41.011255Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-27T13:47:50.179Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "synapse",
              "vendor": "element-hq",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.127.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Synapse is an open source Matrix homeserver implementation. A malicious server can craft events which, when received, prevent Synapse version up to 1.127.0 from federating with other servers. The vulnerability has been exploited in the wild and has been fixed in Synapse v1.127.1. No known workarounds are available."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20: Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-03-27T00:59:27.996Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/element-hq/synapse/security/advisories/GHSA-v56r-hwv5-mxg6",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/element-hq/synapse/security/advisories/GHSA-v56r-hwv5-mxg6"
            },
            {
              "name": "https://github.com/element-hq/synapse/commit/2277df2a1eb685f85040ef98fa21d41aa4cdd389",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/element-hq/synapse/commit/2277df2a1eb685f85040ef98fa21d41aa4cdd389"
            },
            {
              "name": "https://github.com/element-hq/synapse/releases/tag/v1.127.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/element-hq/synapse/releases/tag/v1.127.1"
            }
          ],
          "source": {
            "advisory": "GHSA-v56r-hwv5-mxg6",
            "discovery": "UNKNOWN"
          },
          "title": "Synapse vulnerable to federation denial of service via malformed events"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-30355",
        "datePublished": "2025-03-27T00:59:27.996Z",
        "dateReserved": "2025-03-21T14:12:06.270Z",
        "dateUpdated": "2025-03-27T13:47:50.179Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-37303 (GCVE-0-2024-37303)

    Vulnerability from cvelistv5 – Published: 2024-12-03 17:06 – Updated: 2024-12-03 18:51
    VLAI
    Title
    Synapse unauthenticated writes to the media repository allow planting of problematic content
    Summary
    Synapse is an open-source Matrix homeserver. Synapse before version 1.106 allows, by design, unauthenticated remote participants to trigger a download and caching of remote media from a remote homeserver to the local media repository. Such content then also becomes available for download from the local homeserver in an unauthenticated way. The implication is that unauthenticated remote adversaries can use this functionality to plant problematic content into the media repository. Synapse 1.106 introduces a partial mitigation in the form of new endpoints which require authentication for media downloads. The unauthenticated endpoints will be frozen in a future release, closing the attack vector.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-306 - Missing Authentication for Critical Function
    Assigner
    References
    Impacted products
    Vendor Product Version
    element-hq synapse Affected: < 1.106
    Create a notification for this product.
    element-hq synapse Affected: 0 , < 1.106 (custom)
        cpe:2.3:a:element-hq:synapse:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:element-hq:synapse:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "synapse",
                "vendor": "element-hq",
                "versions": [
                  {
                    "lessThan": "1.106",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-37303",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-03T18:49:29.668536Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-03T18:51:29.590Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "synapse",
              "vendor": "element-hq",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.106"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Synapse is an open-source Matrix homeserver. Synapse before version 1.106 allows, by design, unauthenticated remote participants to trigger a download and caching of remote media from a remote homeserver to the local media repository. Such content then also becomes available for download from the local homeserver in an unauthenticated way. The implication is that unauthenticated remote adversaries can use this functionality to plant problematic content into the media repository. Synapse 1.106 introduces a partial mitigation in the form of new endpoints which require authentication for media downloads. The unauthenticated endpoints will be frozen in a future release, closing the attack vector."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-306",
                  "description": "CWE-306: Missing Authentication for Critical Function",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-12-03T17:06:02.467Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/element-hq/synapse/security/advisories/GHSA-gjgr-7834-rhxr",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/element-hq/synapse/security/advisories/GHSA-gjgr-7834-rhxr"
            },
            {
              "name": "https://github.com/matrix-org/matrix-spec-proposals/pull/3916",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/matrix-org/matrix-spec-proposals/pull/3916"
            }
          ],
          "source": {
            "advisory": "GHSA-gjgr-7834-rhxr",
            "discovery": "UNKNOWN"
          },
          "title": "Synapse unauthenticated writes to the media repository allow planting of problematic content"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-37303",
        "datePublished": "2024-12-03T17:06:02.467Z",
        "dateReserved": "2024-06-05T20:10:46.497Z",
        "dateUpdated": "2024-12-03T18:51:29.590Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-37302 (GCVE-0-2024-37302)

    Vulnerability from cvelistv5 – Published: 2024-12-03 17:04 – Updated: 2024-12-03 18:56
    VLAI
    Title
    Synapse denial of service through media disk space consumption
    Summary
    Synapse is an open-source Matrix homeserver. Synapse versions before 1.106 are vulnerable to a disk fill attack, where an unauthenticated adversary can induce Synapse to download and cache large amounts of remote media. The default rate limit strategy is insufficient to mitigate this. This can lead to a denial of service, ranging from further media uploads/downloads failing to completely unavailability of the Synapse process, depending on how Synapse was deployed. Synapse 1.106 introduces a new "leaky bucket" rate limit on remote media downloads to reduce the amount of data a user can request at a time. This does not fully address the issue, but does limit an unauthenticated user's ability to request large amounts of data to be cached.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    References
    Impacted products
    Vendor Product Version
    element-hq synapse Affected: < 1.106
    Create a notification for this product.
    element-hq synapse Affected: 0 , < 1.106 (custom)
        cpe:2.3:a:element-hq:synapse:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:element-hq:synapse:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "synapse",
                "vendor": "element-hq",
                "versions": [
                  {
                    "lessThan": "1.106",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-37302",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-03T18:55:21.581964Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-03T18:56:17.082Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "synapse",
              "vendor": "element-hq",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.106"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Synapse is an open-source Matrix homeserver. Synapse versions before 1.106 are vulnerable to a disk fill attack, where an unauthenticated adversary can induce Synapse to download and cache large amounts of remote media. The default rate limit strategy is insufficient to mitigate this. This can lead to a denial of service, ranging from further media uploads/downloads failing to completely unavailability of the Synapse process, depending on how Synapse was deployed. Synapse 1.106 introduces a new \"leaky bucket\" rate limit on remote media downloads to reduce the amount of data a user can request at a time. This does not fully address the issue, but does limit an unauthenticated user\u0027s ability to request large amounts of data to be cached."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-12-03T17:04:15.839Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/element-hq/synapse/security/advisories/GHSA-4mhg-xv73-xq2x",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/element-hq/synapse/security/advisories/GHSA-4mhg-xv73-xq2x"
            }
          ],
          "source": {
            "advisory": "GHSA-4mhg-xv73-xq2x",
            "discovery": "UNKNOWN"
          },
          "title": "Synapse denial of service through media disk space consumption"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-37302",
        "datePublished": "2024-12-03T17:04:15.839Z",
        "dateReserved": "2024-06-05T20:10:46.497Z",
        "dateUpdated": "2024-12-03T18:56:17.082Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-52805 (GCVE-0-2024-52805)

    Vulnerability from cvelistv5 – Published: 2024-12-03 17:01 – Updated: 2024-12-03 19:04
    VLAI
    Title
    Synapse allows unsupported content types to lead to memory exhaustion
    Summary
    Synapse is an open-source Matrix homeserver. In Synapse before 1.120.1, multipart/form-data requests can in certain configurations transiently increase memory consumption beyond expected levels while processing the request, which can be used to amplify denial of service attacks. Synapse 1.120.1 resolves the issue by denying requests with unsupported multipart/form-data content type.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    Impacted products
    Vendor Product Version
    element-hq synapse Affected: < 1.120.1
    Create a notification for this product.
    element-hq synapse Affected: 0 , < 1.120.1 (custom)
        cpe:2.3:a:element-hq:synapse:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:element-hq:synapse:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "synapse",
                "vendor": "element-hq",
                "versions": [
                  {
                    "lessThan": "1.120.1",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-52805",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-03T19:04:05.237385Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-03T19:04:44.446Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "synapse",
              "vendor": "element-hq",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.120.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Synapse is an open-source Matrix homeserver. In Synapse before 1.120.1, multipart/form-data requests can in certain configurations transiently increase memory consumption beyond expected levels while processing the request, which can be used to amplify denial of service attacks. Synapse 1.120.1 resolves the issue by denying requests with unsupported multipart/form-data content type."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-12-03T17:01:50.119Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/element-hq/synapse/security/advisories/GHSA-rfq8-j7rh-8hf2",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/element-hq/synapse/security/advisories/GHSA-rfq8-j7rh-8hf2"
            },
            {
              "name": "https://github.com/twisted/twisted/issues/4688#issuecomment-1167705518",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/twisted/twisted/issues/4688#issuecomment-1167705518"
            },
            {
              "name": "https://github.com/twisted/twisted/issues/4688#issuecomment-2385711609",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/twisted/twisted/issues/4688#issuecomment-2385711609"
            }
          ],
          "source": {
            "advisory": "GHSA-rfq8-j7rh-8hf2",
            "discovery": "UNKNOWN"
          },
          "title": "Synapse allows unsupported content types to lead to memory exhaustion"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-52805",
        "datePublished": "2024-12-03T17:01:50.119Z",
        "dateReserved": "2024-11-15T17:11:13.442Z",
        "dateUpdated": "2024-12-03T19:04:44.446Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-52815 (GCVE-0-2024-52815)

    Vulnerability from cvelistv5 – Published: 2024-12-03 16:58 – Updated: 2024-12-03 19:06
    VLAI
    Title
    Synapse allows a a malformed invite to break the invitee's `/sync`
    Summary
    Synapse is an open-source Matrix homeserver. Synapse versions before 1.120.1 fail to properly validate invites received over federation. This vulnerability allows a malicious server to send a specially crafted invite that disrupts the invited user's /sync functionality. Synapse 1.120.1 rejects such invalid invites received over federation and restores the ability to sync for affected users.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    References
    Impacted products
    Vendor Product Version
    element-hq synapse Affected: < 1.120.1
    Create a notification for this product.
    element-hq synapse Affected: 0 , < 1.120.1 (custom)
        cpe:2.3:a:element-hq:synapse:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:element-hq:synapse:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "synapse",
                "vendor": "element-hq",
                "versions": [
                  {
                    "lessThan": "1.120.1",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-52815",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-03T19:05:32.860627Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-03T19:06:11.082Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "synapse",
              "vendor": "element-hq",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.120.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Synapse is an open-source Matrix homeserver. Synapse versions before 1.120.1 fail to properly validate invites received over federation. This vulnerability allows a malicious server to send a specially crafted invite that disrupts the invited user\u0027s /sync functionality. Synapse 1.120.1 rejects such invalid invites received over federation and restores the ability to sync for affected users."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20: Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-12-03T16:59:21.634Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/element-hq/synapse/security/advisories/GHSA-f3r3-h2mq-hx2h",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/element-hq/synapse/security/advisories/GHSA-f3r3-h2mq-hx2h"
            }
          ],
          "source": {
            "advisory": "GHSA-f3r3-h2mq-hx2h",
            "discovery": "UNKNOWN"
          },
          "title": "Synapse allows a a malformed invite to break the invitee\u0027s `/sync`"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-52815",
        "datePublished": "2024-12-03T16:58:30.877Z",
        "dateReserved": "2024-11-15T17:11:13.444Z",
        "dateUpdated": "2024-12-03T19:06:11.082Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-53867 (GCVE-0-2024-53867)

    Vulnerability from cvelistv5 – Published: 2024-12-03 16:52 – Updated: 2024-12-03 19:07
    VLAI
    Title
    Synapse Matrix has a partial room state leak via Sliding Sync
    Summary
    Synapse is an open-source Matrix homeserver. The Sliding Sync feature on Synapse versions between 1.113.0rc1 and 1.120.0 can leak partial room state changes to users no longer in a room. Non-state events, like messages, are unaffected. This vulnerability is fixed in 1.120.1.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-497 - Exposure of Sensitive System Information to an Unauthorized Control Sphere
    Assigner
    References
    Impacted products
    Vendor Product Version
    element-hq synapse Affected: >= 1.113.0rc1, < 1.120.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-53867",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-03T19:07:06.315341Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-03T19:07:19.919Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "synapse",
              "vendor": "element-hq",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.113.0rc1, \u003c 1.120.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Synapse is an open-source Matrix homeserver. The Sliding Sync feature on Synapse versions between 1.113.0rc1 and 1.120.0 can leak partial room state changes to users no longer in a room. Non-state events, like messages, are unaffected. This vulnerability is fixed in 1.120.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-497",
                  "description": "CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-12-03T16:52:01.596Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/element-hq/synapse/security/advisories/GHSA-56w4-5538-8v8h",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/element-hq/synapse/security/advisories/GHSA-56w4-5538-8v8h"
            },
            {
              "name": "https://github.com/matrix-org/matrix-spec-proposals/pull/4186",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/matrix-org/matrix-spec-proposals/pull/4186"
            }
          ],
          "source": {
            "advisory": "GHSA-56w4-5538-8v8h",
            "discovery": "UNKNOWN"
          },
          "title": "Synapse Matrix has a partial room state leak via Sliding Sync"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-53867",
        "datePublished": "2024-12-03T16:52:01.596Z",
        "dateReserved": "2024-11-22T17:30:02.145Z",
        "dateUpdated": "2024-12-03T19:07:19.919Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-53863 (GCVE-0-2024-53863)

    Vulnerability from cvelistv5 – Published: 2024-12-03 16:48 – Updated: 2024-12-03 19:08
    VLAI
    Title
    Synapse can be forced to thumbnail unexpected file formats, invoking external, potentially untrustworthy decoders
    Summary
    Synapse is an open-source Matrix homeserver. In Synapse versions before 1.120.1, enabling the dynamic_thumbnails option or processing a specially crafted request could trigger the decoding and thumbnail generation of uncommon image formats, potentially invoking external tools like Ghostscript for processing. This significantly expands the attack surface in a historically vulnerable area, presenting a risk that far outweighs the benefit, particularly since these formats are rarely used on the open web or within the Matrix ecosystem. Synapse 1.120.1 addresses the issue by restricting thumbnail generation to images in the following widely used formats: PNG, JPEG, GIF, and WebP. This vulnerability is fixed in 1.120.1.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-434 - Unrestricted Upload of File with Dangerous Type
    Assigner
    References
    Impacted products
    Vendor Product Version
    element-hq synapse Affected: < 1.120.1
    Create a notification for this product.
    element-hq synapse Affected: 0 , < 1.120.1 (custom)
        cpe:2.3:a:element-hq:synapse:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:element-hq:synapse:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "synapse",
                "vendor": "element-hq",
                "versions": [
                  {
                    "lessThan": "1.120.1",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-53863",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-03T19:07:32.536899Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-03T19:08:30.218Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "synapse",
              "vendor": "element-hq",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.120.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Synapse is an open-source Matrix homeserver. In Synapse versions before 1.120.1, enabling the dynamic_thumbnails option or processing a specially crafted request could trigger the decoding and thumbnail generation of uncommon image formats, potentially invoking external tools like Ghostscript for processing. This significantly expands the attack surface in a historically vulnerable area, presenting a risk that far outweighs the benefit, particularly since these formats are rarely used on the open web or within the Matrix ecosystem. Synapse 1.120.1 addresses the issue by restricting thumbnail generation to images in the following widely used formats: PNG, JPEG, GIF, and WebP. This vulnerability is fixed in 1.120.1."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-434",
                  "description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-12-03T16:48:29.722Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/element-hq/synapse/security/advisories/GHSA-vp6v-whfm-rv3g",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/element-hq/synapse/security/advisories/GHSA-vp6v-whfm-rv3g"
            }
          ],
          "source": {
            "advisory": "GHSA-vp6v-whfm-rv3g",
            "discovery": "UNKNOWN"
          },
          "title": "Synapse can be forced to thumbnail unexpected file formats, invoking external, potentially untrustworthy decoders"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-53863",
        "datePublished": "2024-12-03T16:48:29.722Z",
        "dateReserved": "2024-11-22T17:30:02.145Z",
        "dateUpdated": "2024-12-03T19:08:30.218Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-31208 (GCVE-0-2024-31208)

    Vulnerability from cvelistv5 – Published: 2024-04-23 17:26 – Updated: 2025-02-13 17:47
    VLAI
    Title
    Synapse's V2 state resolution weakness allows DoS from remote room members
    Summary
    Synapse is an open-source Matrix homeserver. A remote Matrix user with malicious intent, sharing a room with Synapse instances before 1.105.1, can dispatch specially crafted events to exploit a weakness in the V2 state resolution algorithm. This can induce high CPU consumption and accumulate excessive data in the database of such instances, resulting in a denial of service. Servers in private federations, or those that do not federate, are not affected. Server administrators should upgrade to 1.105.1 or later. Some workarounds are available. One can ban the malicious users or ACL block servers from the rooms and/or leave the room and purge the room using the admin API.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    Impacted products
    Vendor Product Version
    element-hq synapse Affected: < 1.105.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-31208",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-04-23T19:13:09.531555Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-23T18:42:58.878Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T01:46:04.624Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/element-hq/synapse/security/advisories/GHSA-3h7q-rfh9-xm4v",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/element-hq/synapse/security/advisories/GHSA-3h7q-rfh9-xm4v"
              },
              {
                "name": "https://github.com/element-hq/synapse/commit/55b0aa847a61774b6a3acdc4b177a20dc019f01a",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/element-hq/synapse/commit/55b0aa847a61774b6a3acdc4b177a20dc019f01a"
              },
              {
                "name": "https://github.com/element-hq/synapse/releases/tag/v1.105.1",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/element-hq/synapse/releases/tag/v1.105.1"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RR53FNHV446CB37TP45GZ6F6HZLZCK3K/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R6FCCO4ODTZ3FDS7TMW76PKOSEL2TQVB/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSF4NJJSTSQRJQ47PLYYSCFYKJBP7DET/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "synapse",
              "vendor": "element-hq",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.105.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Synapse is an open-source Matrix homeserver. A remote Matrix user with malicious intent, sharing a room with Synapse instances before 1.105.1, can dispatch specially crafted events to exploit a weakness in the V2 state resolution algorithm. This can induce high CPU consumption and accumulate excessive data in the database of such instances, resulting in a denial of service. Servers in private federations, or those that do not federate, are not affected. Server administrators should upgrade to 1.105.1 or later. Some workarounds are available. One can ban the malicious users or ACL block servers from the rooms and/or leave the room and purge the room using the admin API."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-03T02:06:09.197Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/element-hq/synapse/security/advisories/GHSA-3h7q-rfh9-xm4v",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/element-hq/synapse/security/advisories/GHSA-3h7q-rfh9-xm4v"
            },
            {
              "name": "https://github.com/element-hq/synapse/commit/55b0aa847a61774b6a3acdc4b177a20dc019f01a",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/element-hq/synapse/commit/55b0aa847a61774b6a3acdc4b177a20dc019f01a"
            },
            {
              "name": "https://github.com/element-hq/synapse/releases/tag/v1.105.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/element-hq/synapse/releases/tag/v1.105.1"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RR53FNHV446CB37TP45GZ6F6HZLZCK3K/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R6FCCO4ODTZ3FDS7TMW76PKOSEL2TQVB/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSF4NJJSTSQRJQ47PLYYSCFYKJBP7DET/"
            }
          ],
          "source": {
            "advisory": "GHSA-3h7q-rfh9-xm4v",
            "discovery": "UNKNOWN"
          },
          "title": "Synapse\u0027s V2 state resolution weakness allows DoS from remote room members"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-31208",
        "datePublished": "2024-04-23T17:26:39.171Z",
        "dateReserved": "2024-03-29T14:16:31.900Z",
        "dateUpdated": "2025-02-13T17:47:51.943Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }